Publish GHSA-pj86-cfqh-vqx6

advisory-database[bot] · advisory-database[bot] · commit 2dfb9f8e3af6 · 2025-12-02T15:13:24.000Z
diff --git a/advisories/github-reviewed/2025/12/GHSA-pj86-cfqh-vqx6/GHSA-pj86-cfqh-vqx6.json b/advisories/github-reviewed/2025/12/GHSA-pj86-cfqh-vqx6/GHSA-pj86-cfqh-vqx6.json
@@ -1,13 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pj86-cfqh-vqx6",
-  "modified": "2025-12-02T00:25:14Z",
+  "modified": "2025-12-02T15:11:19Z",
   "published": "2025-12-01T18:59:17Z",
+  "withdrawn": "2025-12-02T15:11:19Z",
   "aliases": [
     "CVE-2024-51999"
   ],
-  "summary": "express improperly controls modification of query properties",
-  "details": "### Impact\n\nwhen using the extended query parser in express (`'query parser': 'extended'`), the `request.query` object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names\n\n> [!IMPORTANT]  \n> the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser\n\n### Patches\n\nthe issue has been patched to ensure `request.query` is a plain object so `request.query` no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser\n\n### Workaround\n\nthis only impacts users using extended query parsing (`'query parser': 'extended'`), which is the default in express 4, but not express 5.  all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:\n\n#### provide `qs` directly and specify `plainObjects: true`\n\n```js\napp.set('query parser',\n  function (str) {\n    return qs.parse(str, {\n      plainObjects: true\n  });\n});\n```",
+  "summary": "Withdrawn Advisory: express improperly controls modification of query properties",
+  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because it describes a correctness bug, not a vulnerability with real security impact. This link is maintained to preserve external references.\n\n## Original Description\n### Impact\n\nwhen using the extended query parser in express (`'query parser': 'extended'`), the `request.query` object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match the property names\n\n> [!IMPORTANT]  \n> the extended query parser is the default in express 4; this was changed in express 5 which by default uses the simple query parser\n\n### Patches\n\nthe issue has been patched to ensure `request.query` is a plain object so `request.query` no longer has object prototype properties. this brings the default behavior of extended query parsing in line with express's default simple query parser\n\n### Workaround\n\nthis only impacts users using extended query parsing (`'query parser': 'extended'`), which is the default in express 4, but not express 5.  all users are encouraged to upgrade to the patched versions, but can otherwise work around this issue:\n\n#### provide `qs` directly and specify `plainObjects: true`\n\n```js\napp.set('query parser',\n  function (str) {\n    return qs.parse(str, {\n      plainObjects: true\n  });\n});\n```",
   "severity": [
     {
       "type": "CVSS_V4",
