Prototype Pollution The advisory has been revoked - it doesn't affect any version of package express (opens in a new tab)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-EXPRESS-14157151
- published2 Dec 2025
- disclosed1 Dec 2025
- creditWes Todd, Jon Church
Introduced: 1 Dec 2025
CVE-2024-51999 (opens in a new tab)Amendment
This was deemed not a vulnerability.
Overview
express is a minimalist web framework.
Affected versions of this package are vulnerable to Prototype Pollution in the request.query object. An attacker can modify inherited object prototype properties by supplying query string parameters that match prototype property names.
This is only exploitable if the extended query parser is enabled. This is the default in 4.x versions but must be configured in 5.x, such as with 'query parser': 'extended'.
Workaround
This vulnerability can be mitigated by providing qs directly and specifying plainObjects: true when parsing query strings.
Note:
CVE-2024-51999 was rejected by the CVE List with the reason "This advisory has been withdrawn because it describes a correctness bug, not a vulnerability with real security impact".