CVE-2022-24999 - Denial of Service (DoS)

Severity: Medium2023-02-03

Security Advisories


qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

The Oxygen products incorporate qs as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v5.0.1 and olderMedium Oxygen Content Fusion 5.0.2 build 2022121305





Severity: High

CVSS Score: 7.5

The qs third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-24999 vulnerability description.

Starting with Oxygen Content Fusion v5.0.2 build 2022121305 qs library was updated to v6.11.0 which fixes this vulnerability.

List of Security Advisories