Security Tracking Issue

Do not make this issue public.

Impact: Moderate
Reported Date: 02-Dec-2022
PM Fix/Wontfix Decision By: 04-Jan-2023
Resolve Bug By: 31-May-2023

In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug.

Please review this tracker and its impact on your product or service, as soon as possible. The trackers are filed WITHOUT in-depth analysis as the vulnerability has a Low or Moderate severity impact on this product or service. For more details, please refer to following confluence page - https://docs.engineering.redhat.com/x/3e_3EQ

Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

Flaw:

CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
https://bugzilla.redhat.com/show_bug.cgi?id=2150323

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an _proto_ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).