Description
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object’s prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype.
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.3.0, < 6.3.2 >= 6.2.0, < 6.2.3 >= 6.1.0, < 6.1.2 < 6.0.4** Patched version(s): **6.3.2 6.2.3 6.1.2 6.0.4**
References
- GHSA-gqgv-6jq5-jjj9
- access.redhat.com
- snyk.io
- www.npmjs.com
- CVE-2017-1000048
- CWE-20
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- counterpart vulnerable to prototype pollution - CVE-2025-57354
- qs vulnerable to Prototype Pollution - CVE-2022-24999
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Use of Insufficiently Random Values in undici - CVE-2025-22150
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on January 09, 2023