qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has “deps: qs@6.9.7” in its release description, is not vulnerable).
More Stories
USN-6753-1: CryptoJS vulnerability
Thomas Neil James Shadwell discovered that CryptoJS was using an insecure cryptographic default configuration. A remote attacker could possibly use...
USN-6751-1: Zabbix vulnerabilities
It was discovered that Zabbix incorrectly handled input data in the discovery and graphs pages. A remote authenticated attacker could...
USN-6752-1: FreeRDP vulnerabilities
It was discovered that FreeRDP incorrectly handled certain memory operations. If a user were tricked into connecting to a malicious...
ruby-3.2.4-182.fc38
FEDORA-2024-48bdd3abbf Packages in this update: ruby-3.2.4-182.fc38 Update description: Upgrade to Ruby 3.2.4. Read More
ruby-3.2.4-182.fc39
FEDORA-2024-31cac8b8ec Packages in this update: ruby-3.2.4-182.fc39 Update description: Upgrade to Ruby 3.2.4. Read More
chromium-124.0.6367.78-1.el9
FEDORA-EPEL-2024-0c24da3136 Packages in this update: chromium-124.0.6367.78-1.el9 Update description: update to 124.0.6367.78 * Critical CVE-2024-4058: Type Confusion in ANGLE * High...