Express.js Query Parser Prototype Property Vulnerability

A vulnerability exists in the Express.js web framework for Node.js, specifically in versions prior to 5.2.0 and 4.22.0. When the extended query parser is used, the request.query object can inherit and expose all object prototype properties. This behavior allows those prototype properties to be overwritten by query string parameters that match the property names. The issue is particularly relevant because the extended query parser is the default in Express 4, whereas Express 5 uses a simple query parser by default.

Impact

Exploitation of this vulnerability allows for the improper modification of query properties, which can lead to unexpected behavior in the application. Specifically, it can cause object prototype properties to be accessible and potentially manipulated through the query string.

Reproduction

To reproduce this vulnerability, create an Express.js application using version 4.x and set the query parser to 'extended'. Then, send a request with a query string that includes keys matching object prototype property names. The response will reveal that the prototype properties have been accessed, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to Express.js versions 5.2.0 or 4.22.0, where this vulnerability has been patched. For those unable to upgrade, a workaround is to provide a custom query parser that uses 'plainObjects: true', which prevents prototype properties from being exposed.