Denial-of-Service Extended Event Loop Blocking in qs

Description

Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.

Recommendation

Update the qs package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.0.0
• Patched version(s): 1.0.0

References

• GHSA-f9cm-p3w6-xvr3
• www.npmjs.com
• CVE-2014-10064
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Denial-of-Service Memory Exhaustion in qs - CVE-2014-7191
• Regular Expression Denial of Service in validator - CVE-2014-8882
• Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
• angular vulnerable to regular expression denial of service (ReDoS) - CVE-2022-25844

Tags:

npm

qs