CVE-2022-24999

Name: CVE-2022-24999
Creator: NVD / NIST
Published: 2022-11-26T22:15:10.153+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 14.66%

Last modified Jun 17, 2026

CVE-2022-24999 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. EPSS estimates a 14.66% chance of exploitation in the next 30 days.

Description

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

14.66%

96.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Qs Project	Qs	< 6.2.4
Qs Project	Qs	>= 6.3.0, < 6.3.3
Qs Project	Qs	>= 6.5.0, < 6.5.3
Qs Project	Qs	>= 6.7.0, < 6.7.3
Qs Project	Qs	>= 6.8.0, < 6.8.3
Qs Project	Qs	>= 6.9.0, < 6.9.7
Qs Project	Qs	>= 6.10.0, < 6.10.3
Qs Project	Qs	6.4.0
Qs Project	Qs	6.6.0
Openjsf	Express	< 4.17.3
Debian	Debian Linux	10.0

References

https://github.com/expressjs/express/releases/tag/4.17.3Release Notes
https://github.com/ljharb/qs/pull/428Issue Tracking, Patch
https://github.com/n8tz/CVE-2022-24999Exploit, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00039.htmlMailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20230908-0005/
https://github.com/expressjs/express/releases/tag/4.17.3Release Notes
https://github.com/ljharb/qs/pull/428Issue Tracking, Patch
https://github.com/n8tz/CVE-2022-24999Exploit, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00039.htmlMailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20230908-0005/

Timeline

Published: Nov 26, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-24999?

How severe is CVE-2022-24999?

CVE-2022-24999 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 14.66% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24999?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-24999?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST