Loading
Generated remediation guidance and an executive summary. No account required.
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Cite this page
CVE-2022-24999. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2022-24999
Use CWE-1321, Qs Project vendor hub and Qs product page to widen CVE-2022-24999 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2014-10064, CVE-2017-1000048 and CVE-2026-2391 for nearby disclosures in the same product family.