CVE-2022-24999: 
JavaScript vulnerability analysis and mitigation

The CVE-2022-24999 vulnerability affects the 'qs' package before version 6.10.3, which is used in Express before 4.17.3 and other products. The vulnerability was discovered in December 2021 by Nathanael Braun and Johan Brissaud from EY Security, France. It allows attackers to cause a Node process hang for an Express application through prototype pollution using an proto key (EY Security).

The vulnerability allows attackers to create 'array-like' objects by setting an Array in the 'proto' property. Since these objects inherit the Array prototype, they expose native Array functions while still being Objects, allowing the 'length' property to be set on them. An example payload would be: a[proto]=b&a[proto]&a[length]=100000000. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability can lead to Denial of Service (DoS) by freezing the node process. This occurs when the application attempts to convert the malicious objects to string values or calls most native Array functions with an unreasonable 'length' value. The vulnerability affects any Node application using a vulnerable version of 'qs' with default Express configuration and without strong validation systems (EY Security).

The vulnerability has been fixed in qs version 6.10.3 and was backported to versions 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4. Express version 4.17.3 includes the patched qs version 6.9.7. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Express Release).

The vulnerability has received significant attention from the security community and has been incorporated into various security advisories. Multiple organizations, including Debian and NetApp, have issued security bulletins addressing this vulnerability in their products (Debian Advisory, NetApp Advisory).