Description
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object’s prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype.
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.3.0, < 6.3.2 >= 6.2.0, < 6.2.3 >= 6.1.0, < 6.1.2 < 6.0.4** Patched version(s): **6.3.2 6.2.3 6.1.2 6.0.4**
References
- GHSA-gqgv-6jq5-jjj9
- access.redhat.com
- snyk.io
- www.npmjs.com
- CVE-2017-1000048
- CWE-20
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- qs vulnerable to Prototype Pollution - CVE-2022-24999
- Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - CVE-2026-42041
- DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback - CVE-2026-41238
- lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash-amd - CVE-2026-2950
You might also like:
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on January 09, 2023