NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
The package takes user-supplied query parameters and merges them directly into a newly created object without proper validation or sanitization. An attacker can craft malicious parameters containing keys such as '__proto__' or 'constructor', which modify the global prototype of JavaScript objects. As a result, properties injected by the attacker are inherited by all objects in the application, which can lead to unexpected code behavior or its takeover.
An attacker can modify properties of the global prototype of JavaScript objects, which may result in unauthorized data access, manipulation of application logic, and in certain conditions even remote code execution (RCE). The vulnerability can lead to violations of confidentiality, integrity, and availability of the application.
Apply patches available from the vendor according to the references. Until a fix is released, consider replacing the package with an alternative solution or manually sanitizing query parameters before processing — in particular blocking keys '__proto__', 'constructor', and 'prototype'.
NPM package query-parser-string version 1.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H