VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 12, 2020· Updated Aug 4, 2024

CVE-2020-7600

CVE-2020-7600

Description

Querymen ≤2.1.3 allows unvalidated user input in handler() parameters, leading to Prototype Pollution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Querymen ≤2.1.3 allows unvalidated user input in handler() parameters, leading to Prototype Pollution.

Vulnerability

Querymen versions prior to 2.1.4 are vulnerable to Prototype Pollution. The exported function handler(type, name, fn) accepts parameters that can be controlled by an attacker without any sanitization [1]. This allows the attacker to modify the prototype of base objects, a classic Prototype Pollution attack.

Exploitation

An attacker can supply crafted type, name, or fn arguments to the handler function. Because these inputs are not sanitized, they can be used to traverse the prototype chain and overwrite properties on Object.prototype or other base objects [2]. The vulnerability requires that the attacker is able to control the arguments passed to this exported function, which may be possible if the application uses querymen to parse user-supplied query strings.

Impact

Successful exploitation enables an attacker to inject properties into global object prototypes. This can lead to a variety of downstream attacks, including denial of service (DoS), property tampering, or potentially arbitrary code execution depending on how the application uses the polluted properties [2]. The Snyk advisory notes that Prototype Pollution can be used to cause the application to behave unexpectedly or crash.

Mitigation

The vulnerability is fixed in querymen version 2.1.4. The fix, committed in [3], adds proper sanitization of inputs to the handler function. Users should upgrade to the latest version immediately. There is no known workaround.

References
  1. NVD - CVE-2020-7600
  2. Snyk Vulnerability Database | Snyk
  3. Fix prototype pollution vulnerability (#77) · diegohaz/querymen@1987fef

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
querymennpm
< 2.1.42.1.4

Affected products

2

Patches

1
1987fefcb3b7

Fix prototype pollution vulnerability (#77)

https://github.com/diegohaz/querymenHazMar 12, 2020via ghsa
commit
4 files changed · +25 3
  • src/index.js+8 0 modified
    @@ -19,6 +19,14 @@ export let handlers = {
  * @param {Function} [fn] - Set the handler method.
  */
 export function handler (type, name, fn) {
+  if (
+    type === 'constructor' ||
+    type === '__proto__' ||
+    name === 'constructor' ||
+    name === '__proto__'
+  ) {
+    return
+  }
   if (arguments.length > 2) {
     handlers[type][name] = fn
   }
  • test/index.js+15 0 modified
    @@ -42,6 +42,21 @@ const route = (...args) => {
   return app
 }
 
+test('Prototype pollution', (t) => {
+  const { toString } = {}
+
+  querymen.handler('__proto__', 'toString', 'JHU')
+  t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')
+
+  querymen.handler('formatters', '__proto__', { toString: 'JHU' })
+  t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')
+
+  querymen.handler('validators', '__proto__', { toString: 'JHU' })
+  t.ok({}.toString === toString, 'should not be vulnerable to prototype pollution')
+
+  t.end()
+})
+
 test('Querymen handler', (t) => {
   t.notOk(querymen.parser('testParser'), 'should not get nonexistent parser')
   t.notOk(querymen.formatter('testFormatter'), 'should not get nonexistent formatter')
  • test/querymen-schema.js+1 1 modified
    @@ -29,7 +29,7 @@ test('QuerymenSchema add', (t) => {
   t.same(add('123,456', [Number]), [123, 456], 'should add a param with type option number array')
   t.same(add('123,0', [Boolean]), [true, false], 'should add a param with type option boolean array')
   t.same(add('2016,2017', [Date]), [new Date('2016'), new Date('2017')], 'should add a param with type option date array')
-  t.same(add('123,456', [RegExp]), [/123/i, /123/i], 'should add a param with type option regexp array')
+  t.same(add('123,456', [RegExp]), [/123/i, /456/i], 'should add a param with type option regexp array')
   t.end()
 })
  • .travis.yml+1 2 modified
    @@ -1,7 +1,6 @@
 language: node_js
 services: mongodb
 node_js:
-  - v5
-  - v4
+  - v6
 after_script:
   - 'npm run coveralls'

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.