CVE-2022-24999: Unauthenticated Remote Attackers Can Cause Node Process Hang in Express Applications

An unauthenticated remote attacker can cause a Node process hang for an Express application using qs before version 6.10.3. The vulnerability can be exploited by sending a malformed query string in the URL. Upon recognizing the issue, the fix was backported to various versions of qs.

Impact

This vulnerability allows unauthenticated remote attackers to cause a Node process hang, resulting in a denial-of-service (DoS) for Express applications.

The Vulnerability

The issue lies in the attacker's ability to use the __proto__ key to construct a malformed query string, causing the Node process to hang. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload within the query string of the URL used to visit the application. For example:

a[__proto__]=b&a[__proto__]&a[length]=100000000

6.2.4

Express version 4.17.3, which uses qs@6.9.7 as a dependency in its release description, is considered not vulnerable to this issue.

Recommendation

Update your qs and Express versions to the fixed versions listed above. If you are using Express 4.17.3 or later, your application is not affected by this vulnerability. However, it's always a good practice to keep your dependencies up to date.

References

- CVE-2022-24999
- Express Release
- qs GitHub

Timeline

Published on: 11/26/2022 22:15:00 UTC
Last modified on: 02/16/2023 19:19:00 UTC