Skip to content

Release: 4.22.1 #6934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jonchurch merged 2 commits into from
Dec 1, 2025
Merged

Release: 4.22.1 #6934

jonchurch merged 2 commits into from
Dec 1, 2025
+9 −107

Conversation

@UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Dec 1, 2025
edited by ctcpip
Loading

Important

The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

@jonchurch jonchurch mentioned this pull request Dec 1, 2025
Closed
@jonchurch jonchurch requested a review from ctcpip December 1, 2025 19:52
@jonchurch jonchurch marked this pull request as ready for review December 1, 2025 20:27
@jonchurch jonchurch merged commit 12fae14 into 4.x Dec 1, 2025
53 checks passed
@nelsonleblanc-rl
Copy link

nelsonleblanc-rl commented Dec 1, 2025

@jonchurch why?

@nelsonleblanc-rl
Copy link

nelsonleblanc-rl commented Dec 2, 2025

@UlisesGascon why was this reverted?

@sefinek
Copy link

sefinek commented Dec 2, 2025

#6933

@UlisesGascon
Copy link
Member Author

UlisesGascon commented Dec 2, 2025

Hey @nelsonleblanc-rl! Thanks for the ping, I just included a small explanation on #6933 (comment)

@ctcpip
Copy link
Member

ctcpip commented Dec 2, 2025
edited
Loading

Important

The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

@blakeembrey
Copy link
Member

blakeembrey commented Dec 2, 2025
edited
Loading

I replied in the other release here but TL;DR is that there was no vulnerability to fix, and the "fix" may have broken someone (by removing keys they expected). Copied here:

I just wanted to jump in clarify that there wasn't a vulnerability here. There should be a post-mortem on why it was released at all, but GHSA-pj86-cfqh-vqx6 is invalid because there isn't any prototype pollution or other vulnerability.

I wanted to further add that this is just the behavior of JavaScript and anything that parses user supplied data, such as JSON.parse. Any JavaScript object can have any key name, such as { constructor: 'example' }, and it's a reason to always validate input before operating on it.

The issue that can occur with your code is that you might want to do something like obj.hasOwnProperty('test') but you never checked that hasOwnProperty is a function. That is a problem when using JavaScript, but isn't what was patched with the original PR, all it did was make sure it was always broken.

If you are concerned about object keys that match the names of prototype keys, you can provide your own parser:

app.set('query parser', function (str) {
  return qs.parse(str);
});

But keep in mind that if you expect a key that matches one on the prototype, such as constructor, it will no longer be included in the JavaScript object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonchurch jonchurch jonchurch approved these changes

@ctcpip ctcpip Awaiting requested review from ctcpip

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@UlisesGascon @nelsonleblanc-rl @sefinek @ctcpip @blakeembrey @jonchurch