The NPM package query-parser-string version 1.0.0 merges user-supplied query parameters into a newly created object without proper sanitization, resulting in a prototype pollution condition (CWE‑1321). This vulnerability allows an attacker to inject arbitrary properties into Object.prototype, which can alter the behavior of any code that later relies on these properties. Such pollution can compromise data integrity by changing configuration values, corrupting data structures, or causing unintended code execution flows within the affected application.

Any project that declares a dependency on query-parser-string 1.0.0 is potentially affected. The vulnerability is documented for this exact version; later releases are not explicitly addressed in the information provided, so users should verify that their project is using a patched or newer version if available.

Based on the description, it is inferred that the vulnerability can be exploited by sending specially crafted query strings to any application that uses the vulnerable library to parse HTTP requests. The CVSS score of 9.8 indicates a critical severity, yet the EPSS score of less than 1% and the absence from the KEV catalog suggest that no widespread exploitation has been observed to date. The likely attack vector is local to the application's request handling layer, meaning that any traffic reaching the parser could be a potential exploitation path.