CVE-2025-63704
Deferred Deferred - Pending Action
Prototype Pollution in query-parser-string NPM Package

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: MITRE

Description
NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-17
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63704
EUVD
EUVD-2025-209730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
victorteokw query_string_parser 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of the Prototype Pollution vulnerability in the query-parser-string package involves identifying if the vulnerable version 1.0.0 is in use and if user-supplied query parameters are being merged unsafely into objects.

Specific commands or automated detection scripts are not provided in the available resources.

Compliance Impact

The provided information does not specify how the Prototype Pollution vulnerability in the query-parser-string package affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability in the NPM package query-parser-string version 1.0.0 is a Prototype Pollution issue. This occurs because the package does not properly sanitize user-supplied query parameters before merging them into a newly created object.

Impact Analysis

Prototype Pollution vulnerabilities can allow an attacker to manipulate the prototype of base objects, potentially leading to unexpected behavior in the application. This can result in security issues such as denial of service, data corruption, or even remote code execution depending on how the polluted objects are used.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable query-parser-string package version 1.0.0 or applying patches if available.

Since the vulnerability arises from improper sanitization of user input, ensure that user-supplied query parameters are validated and sanitized before processing.

Monitoring for updates or fixes from the package maintainer and upgrading to a fixed version once released is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart