Description
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.0
- Patched version(s): 1.0.0
References
- GHSA-jjv7-qpx3-h62q
- www.npmjs.com
- access.redhat.com
- exchange.xforce.ibmcloud.com
- secunia.com
- www-01.ibm.com
- CVE-2014-7191
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- qs vulnerable to Prototype Pollution - CVE-2022-24999
- Deserialization of Untrusted Data in bson - CVE-2020-7610
- Cross-site scripting in bootstrap-select - CVE-2019-20921
- XSS vulnerability that affects bootstrap - CVE-2018-20676
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on April 11, 2023