[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2022-24999":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":93,"aliases":103,"duplicate_of":9,"upstream":105,"downstream":106,"duplicates":125,"related":126,"reserved_at":9,"published_at":128,"modified_at":129,"state":130,"summary":131,"references_raw":139,"kevs":218,"epss":219,"epss_history":222,"metrics":493,"affected":503},"CVE-2022-24999","qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-1321","Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.","weakness","Incomplete","Variant",[19,67,89],{"id":20,"name":21,"techniques":22},"CAPEC-1","Accessing Functionality Not Properly Constrained by ACLs",[23],{"id":24,"name":25,"tactics":26,"countermeasures":42},"T1574.010","Services File Permissions Weakness",[27,30,33,36,39],{"id":28,"name":29},"TA0110","Persistence",{"id":31,"name":32},"TA0111","Privilege Escalation",{"id":34,"name":35},"TA0030","Defense Evasion",{"id":37,"name":38},"TA0005","Stealth",{"id":40,"name":41},"TA0104","Execution",[43,48,52,57,62],{"id":44,"name":45,"tactic":46},"D3-SWI","Software Inventory",{"name":47},"Model",{"id":49,"name":50,"tactic":51},"D3-AVE","Asset Vulnerability Enumeration",{"name":47},{"id":53,"name":54,"tactic":55},"D3-SBV","Service Binary Verification",{"name":56},"Detect",{"id":58,"name":59,"tactic":60},"D3-SU","Software Update",{"name":61},"Harden",{"id":63,"name":64,"tactic":65},"D3-RS","Restore Software",{"name":66},"Restore",{"id":68,"name":69,"techniques":70},"CAPEC-180","Exploiting Incorrectly Configured Access Control Security Levels",[71],{"id":24,"name":25,"tactics":72,"countermeasures":78},[73,74,75,76,77],{"id":28,"name":29},{"id":31,"name":32},{"id":34,"name":35},{"id":37,"name":38},{"id":40,"name":41},[79,81,83,85,87],{"id":44,"name":45,"tactic":80},{"name":47},{"id":49,"name":50,"tactic":82},{"name":47},{"id":53,"name":54,"tactic":84},{"name":56},{"id":58,"name":59,"tactic":86},{"name":61},{"id":63,"name":64,"tactic":88},{"name":66},{"id":90,"name":91,"techniques":92},"CAPEC-77","Manipulating User-Controlled Variables",[],[94],{"_key":95,"name":96,"source":97,"url":98,"maturity":99,"reliability_score":100,"verified":101,"type":9,"platforms":102,"requires_auth":9,"exploitdb":9,"metasploit":9},"GITHUB_N8TZ_CVE-2022-24999","Cve 2022 24999","github","https://github.com/n8tz/CVE-2022-24999","poc",0.3,false,[],[104],"GHSA-hrpp-h998-j3pp",[],[107,109,111,113,115,117,119,121,123],{"_key":108},"UBUNTU-CVE-2022-24999",{"_key":110},"USN-7693-1",{"_key":112},"DLA-3299-1",{"_key":114},"MGASA-2023-0053",{"_key":116},"DEBIAN-CVE-2022-24999",{"_key":118},"RHSA-2023:0050",{"_key":120},"RHSA-2023:0612",{"_key":122},"RHSA-2023:1533",{"_key":124},"RHSA-2023:1742",[],[127],{"_key":114},"2022-11-26T00:00:00.000Z","2025-04-29T13:56:42.673Z","Modified",{"cisa_kev":101,"cisa_ransomware":101,"cisa_vendor":9,"epss_severity":132,"epss_score":133,"severity":134,"severity_score":135,"severity_version":136,"severity_source":137,"severity_vector":138,"severity_status":130},"low",0.01543,"high",7.5,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",[140,148,154,159,164,168,173,177,181,185,189,193,197,201,205,209,214],{"url":141,"sources":142,"tags":145},"https://github.com/expressjs/express/releases/tag/4.17.3",[137,143,144],"nvd","osv_npm",[146,147],"Release Notes","WEB",{"url":149,"sources":150,"tags":151},"https://github.com/ljharb/qs/pull/428",[137,143,144],[152,153,147],"Issue Tracking","Patch",{"url":98,"sources":155,"tags":156},[137,143,144],[157,158,147],"Exploit","Third Party Advisory",{"url":160,"sources":161,"tags":162},"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html",[137,143,144],[163,158,147],"Mailing List",{"url":165,"sources":166,"tags":167},"https://security.netapp.com/advisory/ntap-20230908-0005/",[137,143],[],{"url":169,"sources":170,"tags":171},"https://nvd.nist.gov/vuln/detail/CVE-2022-24999",[144],[172],"Advisory",{"url":174,"sources":175,"tags":176},"https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec",[144],[147],{"url":178,"sources":179,"tags":180},"https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68",[144],[147],{"url":182,"sources":183,"tags":184},"https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b",[144],[147],{"url":186,"sources":187,"tags":188},"https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d",[144],[147],{"url":190,"sources":191,"tags":192},"https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1",[144],[147],{"url":194,"sources":195,"tags":196},"https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105",[144],[147],{"url":198,"sources":199,"tags":200},"https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f",[144],[147],{"url":202,"sources":203,"tags":204},"https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee",[144],[147],{"url":206,"sources":207,"tags":208},"https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda",[144],[147],{"url":210,"sources":211,"tags":212},"https://github.com/ljharb/qs",[144],[213],"PACKAGE",{"url":215,"sources":216,"tags":217},"https://security.netapp.com/advisory/ntap-20230908-0005",[144],[147],[],{"date":220,"score":133,"percentile":221},"2026-06-04",0.81708,[223,227,230,233,236,239,242,245,247,250,253,256,259,262,265,269,272,275,278,281,283,286,288,290,294,298,301,304,308,311,314,317,320,323,326,329,331,334,337,340,343,347,350,352,355,358,362,365,368,371,374,377,380,383,386,389,392,395,398,402,405,408,411,413,415,417,420,423,427,431,434,437,440,443,446,448,452,455,458,461,464,467,470,472,475,478,482,484,486,489],{"date":224,"score":225,"percentile":226},"2025-11-04",0.03115,0.86308,{"date":228,"score":225,"percentile":229},"2025-11-05",0.86312,{"date":231,"score":225,"percentile":232},"2025-11-06",0.8631,{"date":234,"score":225,"percentile":235},"2025-11-07",0.8632,{"date":237,"score":225,"percentile":238},"2025-11-08",0.86323,{"date":240,"score":225,"percentile":241},"2025-11-09",0.86317,{"date":243,"score":225,"percentile":244},"2025-11-10",0.86318,{"date":246,"score":225,"percentile":238},"2025-11-11",{"date":248,"score":225,"percentile":249},"2025-11-12",0.86329,{"date":251,"score":225,"percentile":252},"2025-11-13",0.86335,{"date":254,"score":225,"percentile":255},"2025-11-14",0.86338,{"date":257,"score":225,"percentile":258},"2025-11-15",0.8633,{"date":260,"score":225,"percentile":261},"2025-11-16",0.86331,{"date":263,"score":225,"percentile":264},"2025-11-17",0.86321,{"date":266,"score":267,"percentile":268},"2025-11-18",0.21425,0.9532,{"date":270,"score":267,"percentile":271},"2025-11-19",0.95321,{"date":273,"score":267,"percentile":274},"2025-11-20",0.95324,{"date":276,"score":225,"percentile":277},"2025-11-21",0.86332,{"date":279,"score":225,"percentile":280},"2025-11-22",0.86327,{"date":282,"score":225,"percentile":264},"2025-11-23",{"date":284,"score":225,"percentile":285},"2025-11-24",0.86322,{"date":287,"score":225,"percentile":238},"2025-11-25",{"date":289,"score":225,"percentile":238},"2025-11-26",{"date":291,"score":292,"percentile":293},"2025-11-27",0.03431,0.86988,{"date":295,"score":296,"percentile":297},"2025-11-28",0.02555,0.84969,{"date":299,"score":296,"percentile":300},"2025-11-29",0.85014,{"date":302,"score":296,"percentile":303},"2025-11-30",0.85015,{"date":305,"score":306,"percentile":307},"2025-12-01",0.04303,0.88496,{"date":309,"score":306,"percentile":310},"2025-12-02",0.88497,{"date":312,"score":306,"percentile":313},"2025-12-03",0.88495,{"date":315,"score":296,"percentile":316},"2025-12-04",0.85016,{"date":318,"score":296,"percentile":319},"2025-12-05",0.8502,{"date":321,"score":296,"percentile":322},"2025-12-06",0.85018,{"date":324,"score":296,"percentile":325},"2025-12-07",0.85007,{"date":327,"score":296,"percentile":328},"2025-12-08",0.85006,{"date":330,"score":296,"percentile":316},"2025-12-09",{"date":332,"score":296,"percentile":333},"2025-12-10",0.85037,{"date":335,"score":296,"percentile":336},"2025-12-11",0.85042,{"date":338,"score":296,"percentile":339},"2025-12-12",0.85047,{"date":341,"score":296,"percentile":342},"2025-12-13",0.85043,{"date":344,"score":345,"percentile":346},"2025-12-14",0.02954,0.86012,{"date":348,"score":345,"percentile":349},"2025-12-15",0.86005,{"date":351,"score":345,"percentile":346},"2025-12-16",{"date":353,"score":345,"percentile":354},"2025-12-17",0.86018,{"date":356,"score":345,"percentile":357},"2025-12-18",0.86022,{"date":359,"score":360,"percentile":361},"2025-12-19",0.03245,0.86715,{"date":363,"score":360,"percentile":364},"2025-12-20",0.86712,{"date":366,"score":360,"percentile":367},"2025-12-21",0.86714,{"date":369,"score":360,"percentile":370},"2025-12-22",0.86707,{"date":372,"score":360,"percentile":373},"2025-12-23",0.86711,{"date":375,"score":360,"percentile":376},"2025-12-24",0.86721,{"date":378,"score":360,"percentile":379},"2025-12-25",0.86731,{"date":381,"score":360,"percentile":382},"2025-12-26",0.86733,{"date":384,"score":360,"percentile":385},"2025-12-27",0.86776,{"date":387,"score":360,"percentile":388},"2025-12-28",0.86727,{"date":390,"score":360,"percentile":391},"2025-12-29",0.8672,{"date":393,"score":360,"percentile":394},"2025-12-30",0.86726,{"date":396,"score":360,"percentile":397},"2025-12-31",0.86737,{"date":399,"score":400,"percentile":401},"2026-01-01",0.0543,0.89938,{"date":403,"score":400,"percentile":404},"2026-01-02",0.89933,{"date":406,"score":400,"percentile":407},"2026-01-03",0.89932,{"date":409,"score":360,"percentile":410},"2026-01-04",0.86735,{"date":412,"score":360,"percentile":379},"2026-01-05",{"date":414,"score":360,"percentile":382},"2026-01-06",{"date":416,"score":360,"percentile":410},"2026-01-07",{"date":418,"score":360,"percentile":419},"2026-01-08",0.86742,{"date":421,"score":360,"percentile":422},"2026-01-09",0.86743,{"date":424,"score":425,"percentile":426},"2026-01-10",0.02997,0.86154,{"date":428,"score":429,"percentile":430},"2026-01-11",0.03471,0.87194,{"date":432,"score":429,"percentile":433},"2026-01-12",0.87191,{"date":435,"score":429,"percentile":436},"2026-01-13",0.87189,{"date":438,"score":429,"percentile":439},"2026-01-14",0.87201,{"date":441,"score":429,"percentile":442},"2026-01-15",0.872,{"date":444,"score":429,"percentile":445},"2026-01-16",0.87206,{"date":447,"score":429,"percentile":445},"2026-01-17",{"date":449,"score":450,"percentile":451},"2026-01-18",0.01052,0.77102,{"date":453,"score":450,"percentile":454},"2026-01-19",0.77098,{"date":456,"score":450,"percentile":457},"2026-01-20",0.77092,{"date":459,"score":450,"percentile":460},"2026-01-21",0.77099,{"date":462,"score":450,"percentile":463},"2026-01-22",0.77104,{"date":465,"score":450,"percentile":466},"2026-01-23",0.77136,{"date":468,"score":450,"percentile":469},"2026-01-24",0.77145,{"date":471,"score":450,"percentile":466},"2026-01-25",{"date":473,"score":450,"percentile":474},"2026-01-26",0.77134,{"date":476,"score":450,"percentile":477},"2026-01-27",0.77135,{"date":479,"score":480,"percentile":481},"2026-01-28",0.01422,0.80224,{"date":483,"score":480,"percentile":481},"2026-01-29",{"date":485,"score":480,"percentile":481},"2026-01-30",{"date":487,"score":480,"percentile":488},"2026-01-31",0.8023,{"date":490,"score":491,"percentile":492},"2026-02-01",0.02421,0.8483,[494,499,501],{"source":137,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":495,"cvss_v4_0":9},{"baseScore":135,"baseSeverity":496,"vectorString":138,"impactScore":497,"exploitabilityScore":498},"HIGH",6,10,{"source":143,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":500,"cvss_v4_0":9},{"baseScore":135,"baseSeverity":496,"vectorString":138,"impactScore":497,"exploitabilityScore":498},{"source":144,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":502,"cvss_v4_0":9},{"baseScore":135,"baseSeverity":9,"vectorString":138,"impactScore":497,"exploitabilityScore":498},[504,513,557,565],{"ecosystem":9,"name":505,"vendor":506,"product":507,"cpe_part":508,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":509},"debian linux","debian","debian_linux","o",[510],{"version":511,"is_range":101,"range_type":512,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"10.0","cpe",{"ecosystem":514,"name":515,"vendor":514,"product":515,"cpe_part":9,"purl_type":516,"purl_namespace":9,"purl_name":515,"source":9,"versions":517},"Npm","qs","npm",[518,526,530,534,538,542,546,550,554],{"version":519,"is_range":520,"range_type":521,"version_start":522,"version_start_type":523,"version_end":524,"version_end_type":525,"fixed_in":9},"gte6_10_0_lt6_10_3",true,"semver","6.10.0","including","6.10.3","excluding",{"version":527,"is_range":520,"range_type":521,"version_start":528,"version_start_type":523,"version_end":529,"version_end_type":525,"fixed_in":9},"gte6_9_0_lt6_9_7","6.9.0","6.9.7",{"version":531,"is_range":520,"range_type":521,"version_start":532,"version_start_type":523,"version_end":533,"version_end_type":525,"fixed_in":9},"gte6_8_0_lt6_8_3","6.8.0","6.8.3",{"version":535,"is_range":520,"range_type":521,"version_start":536,"version_start_type":523,"version_end":537,"version_end_type":525,"fixed_in":9},"gte6_7_0_lt6_7_3","6.7.0","6.7.3",{"version":539,"is_range":520,"range_type":521,"version_start":540,"version_start_type":523,"version_end":541,"version_end_type":525,"fixed_in":9},"gte6_6_0_lt6_6_1","6.6.0","6.6.1",{"version":543,"is_range":520,"range_type":521,"version_start":544,"version_start_type":523,"version_end":545,"version_end_type":525,"fixed_in":9},"gte6_5_0_lt6_5_3","6.5.0","6.5.3",{"version":547,"is_range":520,"range_type":521,"version_start":548,"version_start_type":523,"version_end":549,"version_end_type":525,"fixed_in":9},"gte6_4_0_lt6_4_1","6.4.0","6.4.1",{"version":551,"is_range":520,"range_type":521,"version_start":552,"version_start_type":523,"version_end":553,"version_end_type":525,"fixed_in":9},"gte6_3_0_lt6_3_3","6.3.0","6.3.3",{"version":555,"is_range":520,"range_type":521,"version_start":9,"version_start_type":9,"version_end":556,"version_end_type":525,"fixed_in":9},"lt6_2_4","6.2.4",{"ecosystem":9,"name":558,"vendor":559,"product":558,"cpe_part":560,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":561},"express","openjsf","a",[562],{"version":563,"is_range":520,"range_type":512,"version_start":9,"version_start_type":9,"version_end":564,"version_end_type":525,"fixed_in":9},"lt4.17.3","4.17.3",{"ecosystem":9,"name":515,"vendor":566,"product":515,"cpe_part":560,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":567},"qs_project",[568,570,572,574,576,578,580,582,583],{"version":569,"is_range":520,"range_type":512,"version_start":9,"version_start_type":9,"version_end":556,"version_end_type":525,"fixed_in":9},"lt6.2.4",{"version":571,"is_range":520,"range_type":512,"version_start":552,"version_start_type":523,"version_end":553,"version_end_type":525,"fixed_in":9},"gte6.3.0_lt6.3.3",{"version":573,"is_range":520,"range_type":512,"version_start":544,"version_start_type":523,"version_end":545,"version_end_type":525,"fixed_in":9},"gte6.5.0_lt6.5.3",{"version":575,"is_range":520,"range_type":512,"version_start":536,"version_start_type":523,"version_end":537,"version_end_type":525,"fixed_in":9},"gte6.7.0_lt6.7.3",{"version":577,"is_range":520,"range_type":512,"version_start":532,"version_start_type":523,"version_end":533,"version_end_type":525,"fixed_in":9},"gte6.8.0_lt6.8.3",{"version":579,"is_range":520,"range_type":512,"version_start":528,"version_start_type":523,"version_end":529,"version_end_type":525,"fixed_in":9},"gte6.9.0_lt6.9.7",{"version":581,"is_range":520,"range_type":512,"version_start":522,"version_start_type":523,"version_end":524,"version_end_type":525,"fixed_in":9},"gte6.10.0_lt6.10.3",{"version":548,"is_range":101,"range_type":512,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},{"version":540,"is_range":101,"range_type":512,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9}]