Advisories » MGASA-2023-0053

Updated nodejs-qs packages fix security vulnerability

Publication date: 20 Feb 2023
Modification date: 20 Feb 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-24999

Description

nodejs qs before 6.10.3, as used in Express before 4.17.3 and other
products, allows attackers to cause a Node process hang for an Express
application because an __ proto__ key can be used. In many typical Express
use cases, an unauthenticated remote attacker can place the attack payload
in the query string of the URL that is used to visit the application, such
as a[__proto__]=b&a[__proto__]&a[length]=100000000.  (CVE-2022-24999)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=31494
• https://www.debian.org/lts/security/2023/dla-3299
• https://security-tracker.debian.org/tracker/CVE-2022-24999
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24999

SRPMS

8/core

• nodejs-qs-6.5.3-1.mga8