CVE-2022-25871 – querymen

Package

Manager: npm
Name: querymen
Vulnerable Version: >=0 <=2.1.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00283 pctl0.5132

Details

Prototype Pollution in querymen All versions of package querymen are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. Note: This vulnerability derives from an incomplete fix of [CVE-2020-7600](https://security.snyk.io/vuln/SNYK-JS-QUERYMEN-559867).

Metadata

Created: 2022-06-18T00:00:19Z
Modified: 2022-06-20T22:27:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-p23c-p8w2-ww5v/GHSA-p23c-p8w2-ww5v.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-p23c-p8w2-ww5v
Finding: F390
Auto approve: 1