Description
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object’s prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype.
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.3.0, < 6.3.2 >= 6.2.0, < 6.2.3 >= 6.1.0, < 6.1.2 < 6.0.4** Patched version(s): **6.3.2 6.2.3 6.1.2 6.0.4**
References
- GHSA-gqgv-6jq5-jjj9
- access.redhat.com
- snyk.io
- www.npmjs.com
- CVE-2017-1000048
- CWE-20
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-es - CVE-2026-2950
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
You might also like:
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on January 09, 2023


