EUVD-2025-209730
GHSA-587p-w43q-4hjx
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
AnalysisAI
Prototype pollution in query-string-parser 1.0.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript object prototypes via crafted query parameters, achieving arbitrary code execution, privilege escalation, or denial of service in Node.js applications. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical rating. Publicly available proof-of-concept exists (GitHub Gist), but no CISA KEV listing confirms active exploitation. SSVC framework rates this as automatable with total technical impact but currently unexploited, suggesting opportunistic future risk rather than immediate widespread targeting.
Technical ContextAI
The vulnerability affects query-string-parser (note: package name differs from CVE description which states 'query-parser-string'), an NPM package for parsing URL query strings into JavaScript objects. Classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution), this flaw arises when user-controlled query parameters containing properties like '__proto__', 'constructor', or 'prototype' are merged directly into newly created objects without sanitization. In JavaScript's prototype-based inheritance model, polluting Object.prototype affects all objects in the application, enabling attackers to override methods, inject properties into downstream objects, bypass security checks, or trigger code paths leading to remote code execution when polluted properties are later used in eval(), require(), or other dangerous operations. The Node.js ecosystem is particularly vulnerable to this class of attack due to widespread use of object merging in middleware and parsers.
RemediationAI
No vendor-released patch identified at time of analysis - the query-string-parser package appears unmaintained with last release at version 1.0.0 and no activity on the GitHub repository issue tracker beyond the vulnerability report filed in January 2025. Immediate remediation requires replacing query-string-parser with maintained alternatives such as qs (npm package with 200M+ weekly downloads, actively maintained, includes prototype pollution protections) or the built-in URLSearchParams API available in Node.js 10+. Migration example: replace require('query-string-parser') with const qs = require('qs'); qs.parse(queryString, {allowPrototypes: false}). For applications unable to immediately migrate, implement compensating controls: (1) freeze Object.prototype at application startup using Object.freeze(Object.prototype) to prevent pollution (breaks some libraries expecting mutable prototypes), (2) launch Node.js with --disable-proto=delete flag to remove __proto__ accessor (requires Node.js 12.17+), or (3) add input validation to reject query parameters containing '__proto__', 'constructor', or 'prototype' keys before parsing (bypassable via advanced encoding techniques). All compensating controls have compatibility trade-offs; regression testing is mandatory. Dependency scanning tools should flag this package for removal.
Share
External POC / Exploit Code
Leaving vuln.today