Skip to main content

query-string-parser CVE-2025-63704

| EUVDEUVD-2025-209730 CRITICAL
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-05-07 cve@mitre.org GHSA-587p-w43q-4hjx
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 09, 2026 - 00:30 vuln.today
CVSS changed
May 08, 2026 - 22:22 NVD
9.8 (CRITICAL)
CVE Published
May 07, 2026 - 16:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 16:16 nvd
CRITICAL 9.8

DescriptionCVE.org

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

AnalysisAI

Prototype pollution in query-string-parser 1.0.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript object prototypes via crafted query parameters, achieving arbitrary code execution, privilege escalation, or denial of service in Node.js applications. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical rating. Publicly available proof-of-concept exists (GitHub Gist), but no CISA KEV listing confirms active exploitation. SSVC framework rates this as automatable with total technical impact but currently unexploited, suggesting opportunistic future risk rather than immediate widespread targeting.

Technical ContextAI

The vulnerability affects query-string-parser (note: package name differs from CVE description which states 'query-parser-string'), an NPM package for parsing URL query strings into JavaScript objects. Classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution), this flaw arises when user-controlled query parameters containing properties like '__proto__', 'constructor', or 'prototype' are merged directly into newly created objects without sanitization. In JavaScript's prototype-based inheritance model, polluting Object.prototype affects all objects in the application, enabling attackers to override methods, inject properties into downstream objects, bypass security checks, or trigger code paths leading to remote code execution when polluted properties are later used in eval(), require(), or other dangerous operations. The Node.js ecosystem is particularly vulnerable to this class of attack due to widespread use of object merging in middleware and parsers.

RemediationAI

No vendor-released patch identified at time of analysis - the query-string-parser package appears unmaintained with last release at version 1.0.0 and no activity on the GitHub repository issue tracker beyond the vulnerability report filed in January 2025. Immediate remediation requires replacing query-string-parser with maintained alternatives such as qs (npm package with 200M+ weekly downloads, actively maintained, includes prototype pollution protections) or the built-in URLSearchParams API available in Node.js 10+. Migration example: replace require('query-string-parser') with const qs = require('qs'); qs.parse(queryString, {allowPrototypes: false}). For applications unable to immediately migrate, implement compensating controls: (1) freeze Object.prototype at application startup using Object.freeze(Object.prototype) to prevent pollution (breaks some libraries expecting mutable prototypes), (2) launch Node.js with --disable-proto=delete flag to remove __proto__ accessor (requires Node.js 12.17+), or (3) add input validation to reject query parameters containing '__proto__', 'constructor', or 'prototype' keys before parsing (bypassable via advanced encoding techniques). All compensating controls have compatibility trade-offs; regression testing is mandatory. Dependency scanning tools should flag this package for removal.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2025-63704 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy