N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-51999

CVE-2024-51999: express improperly controls modification of query properties

Impact

when using the extended query parser in express ('query parser': 'extended'), the request.query object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names

[!IMPORTANT]
the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser

Patches

the issue has been patched to ensure request.query is a plain object so request.query no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser

Workaround

this only impacts users using extended query parsing ('query parser': 'extended'), which is the default in express 4, but not express 5. all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:

provide `qs` directly and specify `plainObjects: true`

app.set('query parser',
  function (str) {
    return qs.parse(str, {
      plainObjects: true
  });
});

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-51999

CVE-2024-51999:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
express	npm	< 4.22.0	4.22.0
express	npm	>= 5.0.0, < 5.1.0	5.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the express framework's extended query parser, which is the default in version 4. The parseExtendedQueryString function in lib/utils.js used the qs.parse library with the allowPrototypes: true option. This configuration allows the query string to contain parameters that can modify properties of the global Object.prototype. An attacker could craft a malicious query string like ?hasOwnProperty=foo to overwrite built-in Object methods, potentially leading to application crashes or other unpredictable behavior when other parts of the code rely on these prototype properties. The provided patch addresses this by replacing allowPrototypes: true with plainObjects: true, which instructs qs.parse to create a plain object with a null prototype, effectively isolating the parsed query parameters and preventing prototype pollution.

Vulnerable functions

parseExtendedQueryString

lib/utils.js

The function `parseExtendedQueryString` was using `qs.parse` with the `allowPrototypes: true` option. This allowed query string parameters to overwrite properties of `Object.prototype`, leading to a prototype pollution vulnerability. The patch changes this option to `plainObjects: true` to prevent this.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-51999: express improperly controls modification of query properties

Impact

Patches

Workaround

provide qs directly and specify plainObjects: true

CVE-2024-51999:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Basic Information

Basic Information

CVE-2024-51999: express improperly controls modification of query properties

Impact

Patches

Workaround

provide qs directly and specify plainObjects: true

provide `qs` directly and specify `plainObjects: true`

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

provide `qs` directly and specify `plainObjects: true`