CVE-2022-24999: High-Severity qs Library Vulnerability Threatens Node.js/Express Applications

A high-severity vulnerability in the widely used `qs` querystring parsing library can allow attackers to cause a denial-of-service by hanging Node.js processes. The flaw, tracked as CVE-2022-24999, is present in versions before 6.10.3 and is critically relevant for applications using the Express framework before version 4.17.3. The vulnerability is triggered when a specially crafted query string containing a `__proto__` key is processed, leading to a process hang.

The vulnerability is particularly dangerous because it can be exploited remotely and without authentication in many typical Express application configurations. An attacker simply needs to place the malicious payload in the URL's query string. The issue was detected in `qs-4.0.0.tgz`, a version far below the patched release, which is bundled as a dependency of `body-parser-1.13.3.tgz`. This creates a significant supply chain risk for any project relying on these outdated packages.

This flaw represents a critical operational threat to countless web services built on the Node.js and Express stack. The ease of exploitation—via a simple HTTP request—means the attack surface is vast. Organizations and developers must immediately audit their dependencies, upgrade `qs` to version 6.10.3 or later, and ensure Express is updated to 4.17.3+ to mitigate the risk of service disruption.