PGV-2287703 - qs vulnerable to Prototype PollutionDisclosed on November 27, 2022 (updated April 29, 2025)
PGV-2287703 is a category 2 vulnerabilty that affects qs, versions ≥ 6.10.0 & < 6.10.3, ≥ 6.9.0 & < 6.9.7, ≥ 6.8.0 & < 6.8.3, ≥ 6.7.0 & < 6.7.3, ≥ 6.6.0 & < 6.6.1, ≥ 6.5.0 & < 6.5.3, ≥ 6.4.0 & < 6.4.1, ≥ 6.3.0 & < 6.3.3, < 6.2.4
The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.
The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.
The threat damage is caused by a denial of service. Exploitation can completely deny access to the application, resulting in a full outage.
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
| Network Exposure | External Accessable from the public internet |
| Access Interface | WebBrowser Primarily web-based applications |
| Service Outage | Disruptive Operations would be impacted |
| Data Breach | Disruptive Operations would be impacted |
| Data Tampering | Disruptive Operations would be impacted |
| Customize | |
v2.0.4 © 2026 Inedo, LLC
