Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
qs 安全漏洞
Vulnerability Description
ljharb qs是美国Jordan Harband个人开发者的一个具有嵌套支持的查询字符串解析器。 qs 6.10.3 之前版本存在安全漏洞,该漏洞源于parse忽略__proto__键,攻击者利用该漏洞可以将攻击载荷放在用于访问应用程序的 URL 的查询字符串中。
CVSS Information
N/A
Vulnerability Type
N/A