Mageia 2023-0053: nodejs-qs security update | LinuxSecurity.com

What Are You Looking For?

Popular Tags

Contribute
MGASA-2023-0053 - Updated nodejs-qs packages fix security vulnerability

Publication date: 20 Feb 2023
URL: https://advisories.mageia.org/MGASA-2023-0053.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-24999

nodejs qs before 6.10.3, as used in Express before 4.17.3 and other
products, allows attackers to cause a Node process hang for an Express
application because an __ proto__ key can be used. In many typical Express
use cases, an unauthenticated remote attacker can place the attack payload
in the query string of the URL that is used to visit the application, such
as a[__proto__]=b&a[__proto__]&a[length]=100000000.  (CVE-2022-24999)

References:
- https://bugs.mageia.org/show_bug.cgi?id=31494
- https://www.debian.org/lts/security/2023/dla-3299
- https://security-tracker.debian.org/tracker/CVE-2022-24999
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24999

SRPMS:
- 8/core/nodejs-qs-6.5.3-1.mga8

Mageia 2023-0053: nodejs-qs security update

nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can...

Summary

nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. (CVE-2022-24999)

References

- https://bugs.mageia.org/show_bug.cgi?id=31494

- https://www.debian.org/lts/security/2023/dla-3299

- https://security-tracker.debian.org/tracker/CVE-2022-24999

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24999

Resolution

MGASA-2023-0053 - Updated nodejs-qs packages fix security vulnerability

SRPMS

- 8/core/nodejs-qs-6.5.3-1.mga8

Severity
Publication date: 20 Feb 2023
URL: https://advisories.mageia.org/MGASA-2023-0053.html
Type: security
CVE: CVE-2022-24999

Related News

691 Malicious npm Packages and 49 PyPI Components Containing Crypto-Miners, Remote Access Trojans Discovered

Researchers Uncover 700+ Malicious Open Source Packages

An IBM Hacker Breaks Down High-Profile Attacks

A New Linux Flaw Can Be Chained with Other Two Bugs to Gain Full Root Privileges

News

Advisories

HOWTOs

Features

Interview with Guardian Digital CEO Dave Wreski: Open Source Utilization in Email Security Solutions & More
Verifying Linux Server Security: What Every Admin Needs to Know
What Linux, Windows & Mac OS Users Need to Know About VPNs
Complete Guide to Vulnerability Basics
How To Get Live Updates on Critical Linux Security Advisories

About Us

Powered By

Footer Logo

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy. 

Learn More About Our Cookie Policy