CVE-2022-24999 - Denial of Service (DoS)

Severity: Medium2023-02-03

Security Advisories

Abstract

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

The Oxygen products incorporate qs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v5.0.1 and olderMedium Oxygen Content Fusion 5.0.2 build 2022121305

Mitigation

None

Detail

CVE-2022-24999

Severity: High

CVSS Score: 7.5

The qs third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24999 vulnerability description.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 qs library was updated to v6.11.0 which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Declarative Amsterdam 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor