Description
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.0
- Patched version(s): 1.0.0
References
- GHSA-jjv7-qpx3-h62q
- www.npmjs.com
- access.redhat.com
- exchange.xforce.ibmcloud.com
- secunia.com
- www-01.ibm.com
- CVE-2014-7191
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Denial-of-Service Extended Event Loop Blocking in qs - CVE-2014-10064
- devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse - CVE-2026-22775
- Devalue is vulnerable to denial of service due to memory exhaustion in devalue.parse - CVE-2026-22774
- Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - CVE-2026-34043
You might also like:
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on April 11, 2023