NVD · CVE-2025-63704

CVE-2025-63704

Published: Thu, 07 May 2026 16:16

CVE-2025-63704

Summary

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.

Are YOU affected by CVE-2025-63704?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2025-63704 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash

Form-based quickscan Read the bash source first

References

https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b
https://github.com/victorteokw/query-string-parser/issues/3
https://www.npmjs.com/package/query-string-parser?activeTab=readme

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.

Buy lifetime →See StackPatch →Live audit log →