CVE-2017-1000048 – qs

Package

Manager: npm
Name: qs
Vulnerable Version: >=0 <6.0.4 || >=6.1.0 <6.1.2 || >=6.2.0 <6.2.3 || >=6.3.0 <6.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00598 pctl0.68449

Details

Prototype Pollution Protection Bypass in qs Affected version of `qs` are vulnerable to Prototype Pollution because it is possible to bypass the protection. The `qs.parse` function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing `[` or `]` may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances. ## Recommendation Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.

Metadata

Created: 2020-04-30T17:16:47Z
Modified: 2021-08-25T21:03:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-gqgv-6jq5-jjj9
Finding: F184
Auto approve: 1