qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays
- Severity:
- Medium
Description
qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs’s null-related options (skipNulls, strictNullHandling).
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): >= 6.11.1, <= 6.15.1
- Patched version(s): 6.15.2
References
Related Issues
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- parse-server has GraphQL complexity validator exponential fragment traversal DoS - CVE-2026-34573
- Elysia has a string URL format ReDoS - CVE-2026-30837
- PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - CVE-2026-41305
You might also like:
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on May 22, 2026