CVE-2022-24999

HIGH

QS < 6.2.4 - Prototype Pollution

Title source: rule

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-24999. PoCs published by 9pings, n8tz.

AI-analyzed exploit summary This repository contains functional exploit code demonstrating CVE-2022-24999, a prototype pollution vulnerability in the 'qs' library. The PoC showcases how malicious payloads can create 'array-like' objects with manipulated lengths, leading to denial-of-service (DoS) conditions when processed by vulnerable Express applications.

Description

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Exploits (2)

nomisec WORKING POC 8 stars

by 9pings · poc

https://github.com/9pings/CVE-2022-24999

View Code ZIP pw:eip

This repository contains functional exploit code demonstrating CVE-2022-24999, a prototype pollution vulnerability in the 'qs' library. The PoC showcases how malicious payloads can create 'array-like' objects with manipulated lengths, leading to denial-of-service (DoS) conditions when processed by vulnerable Express applications.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Express.js (using qs < 6.10.3)

No auth needed

Prerequisites: Vulnerable version of 'qs' library · Express.js with default query parser configuration

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Jun 10, 2026 Full analysis →

nomisec WORKING POC 8 stars

by n8tz · poc

https://github.com/n8tz/CVE-2022-24999

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2022-24999, demonstrating a denial-of-service (DoS) vulnerability in the 'qs' library used by Express.js. The exploit leverages prototype pollution and array/string manipulation to cause excessive CPU usage.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Express.js with qs library (versions affected by CVE-2022-24999)

No auth needed

Prerequisites: Express.js application using vulnerable qs library · Ability to send crafted HTTP requests

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html

Release Notes

https://github.com/expressjs/express/releases/tag/4.17.3

Issue Tracking, Patch

https://github.com/ljharb/qs/pull/428

Exploit, Third Party Advisory

https://github.com/n8tz/CVE-2022-24999

Vendor Advisory

https://security.netapp.com/advisory/ntap-20230908-0005/

Scores

CVSS v3 7.5

EPSS 0.0154

EPSS Percentile 81.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (6)

debian/debian_linux 10.0

npm/qs 6.10.0 - 6.10.3npm

openjsf/express < 4.17.3

qs_project/qs 6.4.0

qs_project/qs 6.6.0

qs_project/qs < 6.2.4

Published Nov 26, 2022

Tracked Since Feb 18, 2026