qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays
- Severity:
- Medium
Description
qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs’s null-related options (skipNulls, strictNullHandling).
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): >= 6.11.1, <= 6.15.1
- Patched version(s): 6.15.2
References
Related Issues
- Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729
- LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body - CVE-2026-44645
- parse-server has GraphQL complexity validator exponential fragment traversal DoS - CVE-2026-34573
- Elysia has a string URL format ReDoS - CVE-2026-30837
You might also like:
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on May 22, 2026


