Prototype Pollution Vulnerability in Query Parser String NPM Package
CVE-2025-63704

9.8CRITICAL

Key Information:

Vendor: NPM
Status: query-parser-string
Vendor: CVE Published:; 7 May 2026

What is CVE-2025-63704?

The query-parser-string NPM package version 1.0.0 is susceptible to Prototype Pollution due to inadequate sanitization of user-supplied query parameters. This vulnerability allows malicious actors to manipulate the prototype of objects in the application, potentially leading to further exploits or data corruption. Developers using this package should update to a patched version and implement strict validation on user inputs to mitigate risks.

References

https://www.npmjs.com/package/query-string-parser?activeT...

https://github.com/victorteokw/query-string-parser/issues/3

https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Oct 27, 2025

CVE-2025-63704 Data

JSON