Mageia: 2023-0054 Moderate: Node.js Incident with Remote Process Stalling
mageia
February 20, 2023
nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can...
Summary
nodejs qs before 6.10.3, as used in Express before 4.17.3 and other
products, allows attackers to cause a Node process hang for an Express
application because an __ proto__ key can be used. In many typical Express
use cases, an unauthenticated remote attacker can place the attack payload
in the query string of the URL that is used to visit the application, such
as a[__proto__]=b&a[__proto__]&a[length]=100000000. (CVE-2022-24999)
References
- https://bugs.mageia.org/show_bug.cgi?id=31494
- https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html
- https://security-tracker.debian.org/tracker/CVE-2022-24999
- https://www.cve.org/CVERecord?id=CVE-2022-24999
Topics Covered
Resolution
SRPMS
- 8/core/nodejs-qs-6.5.3-1.mga8
PREVIOUS
NEXT
Publication date: 20 Feb 2023
URL: https://advisories.mageia.org/MGASA-2023-0053.html
Type: security
CVE: CVE-2022-24999
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!