Description
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
Published: 2026-05-07
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The NPM package query-string-parser version 1.0.0 merges user supplied query parameters into a newly created object without proper sanitization, leading to prototype pollution. This flaw allows an attacker to inject arbitrary properties into Object.prototype, which may affect the behaviour of any code that reads these properties, potentially causing data corruption, configuration manipulation, or other integrity violations.

Affected Systems

Any project that depends on query-string-parser 1.0.0 is potentially affected. The issue is documented for this exact version; later releases may have addressed it.

Risk and Exploitability

The vulnerability is exploitable by sending specially crafted query strings to any application that uses the vulnerable library to parse requests. Although the CVSS score is not available in the source, the absence of an EPSS value and lack of listing in KEV indicates that there is currently no known active exploitation, yet the attack vector is local to the application’s request handling layer. Users should assume that the flaw could be leveraged in traffic that reaches the parser.

Generated by OpenCVE AI on May 7, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade query-string-parser to the latest version where the prototype pollution issue is fixed.
  • Verify that all incoming query parameters are validated or sanitized before being passed to the parser.
  • Replace or remove any usage of the vulnerable parsing function in the codebase.

Generated by OpenCVE AI on May 7, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Victorteokw
Victorteokw query-string-parser
Vendors & Products Victorteokw
Victorteokw query-string-parser

Thu, 07 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Prototype Pollution in NPM package query-string-parser Leading to Object Prototype Manipulation
Weaknesses CWE-1138

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
References

Subscriptions

Victorteokw Query-string-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T15:29:31.797Z

Reserved: 2025-10-27T00:00:00.000Z

Link: CVE-2025-63704

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-07T16:16:17.697

Modified: 2026-05-07T18:50:20.783

Link: CVE-2025-63704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:13Z

Weaknesses