-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| qs | npm | >= 6.10.0, < 6.10.3 | 6.10.3 |
| qs | npm | >= 6.9.0, < 6.9.7 | 6.9.7 |
| qs | npm | >= 6.8.0, < 6.8.3 | 6.8.3 |
| qs | npm | >= 6.7.0, < 6.7.3 | 6.7.3 |
| qs | npm | >= 6.6.0, < 6.6.1 | 6.6.1 |
| qs | npm | >= 6.5.0, < 6.5.3 | 6.5.3 |
| qs | npm | >= 6.4.0, < 6.4.1 | 6.4.1 |
| qs | npm | >= 6.3.0, < 6.3.3 | 6.3.3 |
| qs | npm | < 6.2.4 | 6.2.4 |
Miggo AIRoot Cause AnalysisThe GitHub commit diff shows a critical modification in lib/parse.js where an 'else if (cleanRoot !== 'proto')' check was added to the parseObject function. This indicates the function previously allowed 'proto' key assignments, which is the root cause of prototype pollution. The CVE description explicitly references 'proto' key manipulation in query strings, and the added test cases in test/parse.js validate that 'proto' keys are now ignored. The function's role in parsing nested objects makes it the primary vector for this vulnerability.
JavaScriptJavaScriptOngoing coverage of React2Shell