MGASA-2023-0053

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2022-24999

Published: 20 Feb 2023, 21:25

Last modified:16 Apr 2026, 04:22

Vulnerability Summary

Overall Risk (default)

minimal

0/100

CVSS Score

No data

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

20 Feb 2023, 21:25

Published

Vulnerability first disclosed

16 Apr 2026, 04:22

Last Modified

Vulnerability information updated

Description

Updated nodejs-qs packages fix security vulnerability nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. (CVE-2022-24999)

Affected Systems

mageia•nodejs-qs
< 6.5.3-1.mga8

References (4)

https://advisories.mageia.org/MGASA-2023-0053.html
https://bugs.mageia.org/show_bug.cgi?id=31494
https://www.debian.org/lts/security/2023/dla-3299
https://security-tracker.debian.org/tracker/CVE-2022-24999