Cyber Resilience

CVE-2024-57067

High

Published: 05 February 2025

Published
05 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0019 40.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57067 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57067 is a prototype pollution vulnerability in the lib.parse function of the dot-qs v0.2.0 package. This flaw enables attackers to supply a crafted payload that pollutes the JavaScript prototype chain, leading to a Denial of Service (DoS) condition. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-1321 (Prototype Pollution). It was published on 2025-02-05.

A remote attacker with no required privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. By delivering a specially crafted payload to an application that uses dot-qs v0.2.0 for query string parsing, the attacker triggers prototype pollution, resulting in high-impact disruption to availability, such as application crashes or resource exhaustion.

For details on advisories, patches, or mitigation strategies, refer to the provided reference: https://gist.github.com/tariqhawis/07dca101d8fe059dd11b3b0e1b4a6d46.

EU & UK References

Vulnerability details

A prototype pollution in the lib.parse function of dot-qs v0.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote network exploitation of the prototype pollution flaw in a query-string parser directly enables T1190 (Exploit Public-Facing Application) and produces application crashes/resource exhaustion that map to T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-8083Shared CWE-1321
CVE-2026-33993Shared CWE-1321
CVE-2026-30939Shared CWE-1321
CVE-2026-30226Shared CWE-1321
CVE-2024-57080Shared CWE-1321
CVE-2024-57066Shared CWE-1321
CVE-2024-57083Shared CWE-1321
CVE-2024-57069Shared CWE-1321
CVE-2024-12629Shared CWE-1321
CVE-2026-24888Shared CWE-1321

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the prototype pollution vulnerability in dot-qs v0.2.0 by requiring timely patching or replacement of the affected library to prevent DoS exploitation.

prevent

Information input validation ensures crafted payloads targeting the lib.parse function are sanitized or rejected before processing, blocking prototype pollution attacks.

prevent

Denial-of-service protection limits the impact of resource exhaustion or crashes resulting from prototype pollution in the query string parser.

References