Description
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.0
- Patched version(s): 1.0.0
References
- GHSA-jjv7-qpx3-h62q
- www.npmjs.com
- access.redhat.com
- exchange.xforce.ibmcloud.com
- secunia.com
- www-01.ibm.com
- CVE-2014-7191
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
- Denial-of-Service Extended Event Loop Blocking in qs - CVE-2014-10064
- Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse - CVE-2026-22774
- qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - CVE-2025-15284
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on April 11, 2023