querymen@1.1.0 vulnerabilities

Querystring parser middleware for MongoDB, Express and Nodejs

Direct Vulnerabilities

Known vulnerabilities in the querymen package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Prototype Pollution

querymen is a Querystring parser middleware for MongoDB, Express and Nodejs.

Affected versions of this package are vulnerable to Prototype Pollution if the parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization.

Note: This vulnerability derives from an incomplete fix of CVE-2020-7600.

How to fix Prototype Pollution?

There is no fixed version for querymen.

*
  • M
Prototype Pollution

querymen is a Querystring parser middleware for MongoDB, Express and Nodejs.

Affected versions of this package are vulnerable to Prototype Pollution. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

PoC by System Security Lab

var a = require("querymen");
a.handler("__proto__","toString","JHU");
console.log({}.toString);

How to fix Prototype Pollution?

Upgrade querymen to version 2.1.4 or higher.

<2.1.4