PackageFix / CISA KEV / CVE-2022-24999

CVE-2022-24999 — qs Prototype Pollution HIGH

🔴 CISA KEV CVSS 7.5

Prototype pollution in qs query string parsing. qs is a transitive dependency of Express — effectively present in the majority of Node.js web applications. Crafted query strings can pollute Object.prototype and affect all objects in the application.

🔴 Actively Exploited

CVE-2022-24999 is on the CISA Known Exploited Vulnerabilities catalog. Being used in real attacks right now. Fix immediately.

Affected package

PackageVulnerableSafe versionFix guide
qs< 6.11.06.11.0Fix guide →

Timeline

Nov 2022CVE filed — third prototype pollution in qs's history
Nov 2022qs 6.11.0 released — Express 4.18.2 updated to include it
CISAAdded to KEV — active exploitation against Express applications
OngoingExpress apps on 4.17.x and below remain vulnerable

Paste your manifest — get a fixed version with all CVEs patched in seconds.

Open PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

How does this reach production?
An attacker sends a crafted HTTP request like ?__proto__[isAdmin]=true. If your application uses qs to parse query strings (directly or via Express) and doesn't sanitize keys, the prototype is polluted.
Does updating Express fix this?
Express 4.18.0+ bundles qs 6.11.0. Updating Express is the cleanest fix. If you can't update Express, add an npm override: {"overrides": {"qs": "6.11.0"}}.

Related

All CISA KEV Packages

Full actively exploited list

Fix qs

Full fix guide with CVE history

Supply Chain Attack Guide

5 attacks npm audit misses

What is CISA KEV?

Plain-English explanation