← Back
CVE-2025-63704
critical
CVSS 9.8
Vulnerability in prototype-pollution (CVE-2025-63704)
Summary
vulnerability in prototype-pollution (CVE-2025-63704). Successful exploitation can lead to full system takeover.
AI summary openai / gpt-4o
The NPM package query-parser-string version 1.0.0 has a critical vulnerability known as Prototype Pollution, allowing attackers to maliciously inject properties into objects by mismanaging user query data. Similar issues include CVE-2019-10744. Your company should promptly discontinue the use of this version and implement security measures.
The NPM package query-parser-string version 1.0.0 is vulnerable to Prototype Pollution. This occurs in the _fillValue function when parsing query parameters using fromQuery. The affected version is 1.0.0 with no patch available yet. Attackers can exploit this via queries:
```javascript
const { fromQuery } = require('query-string-parser');
const queryString = fromQuery("a=1&b=2&__proto__[polluted]=polluted");
```
No temporary workaround is available, so it's advised to avoid using this package.
❓ What is the problem
Improper sanitization of user-supplied query parameters in query-parser-string version 1.0.0.
📍 Affected scope
_fillValue function inside index.js when calling fromQuery.
🔥 Severity
Critical severity with a CVSS v3 score of 9.8, allowing remote exploitation without any authentication or user interaction.
🔧 How to fix
No patch is available. Avoid using the affected version.
🛡️ Workaround
No workaround is provided in the sources.
🔍 Detection
Inspect for usage of _fillValue function in your codebase with query-parser-string 1.0.0.
Related past incidents Similar incidents extracted from past CVEs
Similar Prototype Pollution vulnerability in lodash package that allowed property injection.
If this happens at your company Expected impact per business scenario
📌 Web applications using query-string-parser.
Could allow attackers to manipulate application behavior or access unauthorized data through object pollution.
📌 API services relying on query parsing.
Compromise of API services integrity and confidentiality by injecting unauthorized properties.
📌 Third-party tools or libraries depending on this package.
Risk of widespread vulnerability exploitation due to indirect dependencies.
Recommended action
Discontinue using the vulnerable package version immediately and conduct a full review of dependency usage for security risks.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
Audit SBOM/dependencies for affected components.依存マニフェストで影響コンポーネントを特定する。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- web https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b
- web https://github.com/victorteokw/query-string-parser/issues/3
- web https://www.npmjs.com/package/query-string-parser?activeTab=readme
- web https://nvd.nist.gov/vuln/detail/CVE-2025-63704
- web https://github.com/advisories/GHSA-587p-w43q-4hjx