# [LOW] Fixing a Prototype Override Protection Bypass Vulnerability in qs **Source:** Snyk **Published:** 2017-03-14 **Article:** https://snyk.io/blog/high-severity-vulnerability-qs/ ## Threat Profile Snyk Blog In this article Written by Tim Kadlec March 14, 2017 0 mins read Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it. qs is a popular npm package — just under 40 million downloads over the past month — used to parse querystring parameters into objects. For example: 1 qs . parse ( 'a=… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### qs prototype-override bypass exploit attempt in HTTP query string (CVE-2017-1000048) `UC_3353_0` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.uri_query="*]=hasOwnProperty*" OR Web.uri_query="*[=hasOwnProperty*" OR Web.uri_query="*%5D=hasOwnProperty*" OR Web.uri_query="*%5B=hasOwnProperty*" OR Web.uri_query="*hasOwnProperty*" OR Web.uri_query="*__proto__*" OR Web.uri_query="*%5F%5Fproto*" OR Web.uri_query="*constructor[prototype]*" OR Web.uri_query="*constructor%5Bprototype%5D*") by Web.src Web.dest Web.http_method Web.uri_path Web.uri_query Web.http_user_agent Web.status | `drop_dm_object_name(Web)` | convert ctime(firstTime) ctime(lastTime) | sort - lastTime ``` ## Why this matters Severity classified as **LOW** based on: 1 use case(s) fired, 1 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.