Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdxZ3YtNmpxNS1qamo5
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Recommendation
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
Permalink: https://github.com/advisories/GHSA-gqgv-6jq5-jjj9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdxZ3YtNmpxNS1qamo5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-gqgv-6jq5-jjj9, CVE-2017-1000048
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000048
- https://github.com/ljharb/qs/issues/200
- https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d
- https://access.redhat.com/errata/RHSA-2017:2672
- https://snyk.io/vuln/npm:qs:20170213
- https://www.npmjs.com/advisories/1469
- https://github.com/advisories/GHSA-gqgv-6jq5-jjj9
Blast Radius: 47.4
Affected Packages
npm:qs
Dependent packages: 15,944Dependent repositories: 2,110,964
Downloads: 296,275,570 last month
Affected Version Ranges: >= 6.3.0, < 6.3.2, >= 6.2.0, < 6.2.3, >= 6.1.0, < 6.1.2, < 6.0.4
Fixed in: 6.3.2, 6.2.3, 6.1.2, 6.0.4
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.4.0, 2.4.1, 2.4.2, 3.0.0, 3.1.0, 4.0.0, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1
All unaffected versions: 6.0.4, 6.1.2, 6.2.3, 6.2.4, 6.3.2, 6.3.3, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.6.0, 6.6.1, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5, 6.9.6, 6.9.7, 6.10.0, 6.10.1, 6.10.2, 6.10.3, 6.10.4, 6.10.5, 6.11.0, 6.11.1, 6.11.2, 6.12.0, 6.12.1