How severe is CVE-2022-24999?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2022-24999?

This is classified as CWE-1321, which is a common weakness in software security.

CVE-2022-24999 - HIGH Severity | CVSS 7.5

Vulnerability Description

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Related Vulnerabilities

CVE-2019-10745

HIGH

CVSS:7.5(High)

assign-deep is vulnerable to Prototype Pollution in versions before 0.4.8 and version 1.0.0. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using eit...

CWE-13212019

CVE-2019-10768

HIGH

CVSS:7.5(High)

In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.

CWE-13212019

CVE-2019-16328

HIGH

CVSS:7.5(High)

In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

CWE-13212019

CVE-2020-24939

HIGH

CVSS:7.5(High)

Prototype pollution in Stampit supermixer 1.0.3 allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

CWE-13212020

CVE-2020-28268

HIGH

CVSS:7.5(High)

Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.

CWE-13212020

CVE-2020-7792

HIGH

CVSS:7.5(High)

This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing e...

CWE-13212020