Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
AnalysisAI
Prototype pollution in query-string-parser 1.0.0 enables remote unauthenticated attackers to inject malicious properties into JavaScript object prototypes via crafted query parameters, achieving arbitrary code execution, privilege escalation, or denial of service in Node.js applications. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability despite critical rating. Publicly available proof-of-concept exists (GitHub Gist), but no CISA KEV listing confirms active exploitation. SSVC framework rates this as automatable with total technical impact but currently unexploited, suggesting opportunistic future risk rather than immediate widespread targeting.
Technical ContextAI
The vulnerability affects query-string-parser (note: package name differs from CVE description which states 'query-parser-string'), an NPM package for parsing URL query strings into JavaScript objects. Classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, commonly known as Prototype Pollution), this flaw arises when user-controlled query parameters containing properties like '__proto__', 'constructor', or 'prototype' are merged directly into newly created objects without sanitization. In JavaScript's prototype-based inheritance model, polluting Object.prototype affects all objects in the application, enabling attackers to override methods, inject properties into downstream objects, bypass security checks, or trigger code paths leading to remote code execution when polluted properties are later used in eval(), require(), or other dangerous operations. The Node.js ecosystem is particularly vulnerable to this class of attack due to widespread use of object merging in middleware and parsers.
RemediationAI
No vendor-released patch identified at time of analysis - the query-string-parser package appears unmaintained with last release at version 1.0.0 and no activity on the GitHub repository issue tracker beyond the vulnerability report filed in January 2025. Immediate remediation requires replacing query-string-parser with maintained alternatives such as qs (npm package with 200M+ weekly downloads, actively maintained, includes prototype pollution protections) or the built-in URLSearchParams API available in Node.js 10+. Migration example: replace require('query-string-parser') with const qs = require('qs'); qs.parse(queryString, {allowPrototypes: false}). For applications unable to immediately migrate, implement compensating controls: (1) freeze Object.prototype at application startup using Object.freeze(Object.prototype) to prevent pollution (breaks some libraries expecting mutable prototypes), (2) launch Node.js with --disable-proto=delete flag to remove __proto__ accessor (requires Node.js 12.17+), or (3) add input validation to reject query parameters containing '__proto__', 'constructor', or 'prototype' keys before parsing (bypassable via advanced encoding techniques). All compensating controls have compatibility trade-offs; regression testing is mandatory. Dependency scanning tools should flag this package for removal.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209730
GHSA-587p-w43q-4hjx