30 matches found
CVE-2026-46102
net: strparser: fix skbhead leak in strpabortstrp...
friendly-frame (>=0.0.1 <=0.0.2) potentially affected by CVE-2025-63704 via query-string-parser (=0.2.4)
query-string-parser NPM version =0.2.4 is affected by a known vulnerability. The following packages have a transitive dependency on query-string-parser and may be impacted: - friendly-frame =0.0.1, =0.0.2 Source cves: CVE-2025-63704 Source advisory: SNYK:JS-QUERYSTRINGPARSER-17181191...
Prototype Pollution
Overview query-string-parser is a Rack style query string parser for Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the fillValue function. An attacker can modify the prototype of built-in objects by supplying crafted query parameters. Details Prototype...
Query String Parser 安全漏洞
Query String Parser is a JavaScript tool for parsing query strings developed by Victor Teo. Version 1.0.0 of Query String Parser has a security vulnerability. This vulnerability arises from improper cleaning of query parameters provided by users and their merging into newly created objects, which...
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario...
AZL-73359 CVE-2025-15284 affecting package nodejs-nodemon 2.0.3-4
Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across a...
ljharb qs 安全漏洞
ljharb qs is a query string parser with nesting support by Jordan Harband, an individual developer in the United States. A security vulnerability exists in ljharb qs versions prior to 6.14.1 that stems from improper input validation and could lead to an HTTP denial of service attack...
[SECURITY] Fedora 43 Update: python-cron-converter-1.2.2-1.fc43
Cron-converter provides a Cron string parser from string/lists to string/lists and iteration for the datetime object with a cron like format...
CVE-2022-50265
CVE-2022-50265 pertains to the Linux kernel and concerns data races in the kernel crypto/messaging flow involving kcm->rx_wait and kcm->rx_psock. The description states that kcm->rx_psock can be read locklessly in kcm_rfree(), and the issue was mitigated by annotating the corresponding r...
Malicious code in string-parser-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 748b70284192ad043f664c6c220fd7416d86a39d02bee5c30e6181172b814688 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-5958 Malicious code in string-parser-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 748b70284192ad043f664c6c220fd7416d86a39d02bee5c30e6181172b814688 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE CVE-2025-37756
In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago...
OESA-2024-1403 nodejs-qs security update
This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...
SUSE CVE-2009-0490
Stack-based buffer overflow in the Stringparse::getnonspacequoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via a .gro file containing a long string...
CVE-2023-25166
formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability...
PT-2022-17038
Name of the Vulnerable Software and Affected Versions qs versions prior to 6.10.3 Express versions prior to 4.17.3 Description The issue allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated...
querymen 安全漏洞
querymen is an individual developer's query string parser middleware for MongoDB, Express, and Nodejs. A security vulnerability exists in querymen that stems from the middleware's susceptibility to prototype contamination...
Popular NPM Package Hijacked to Publish Crypto-mining Malware
The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining and password-stealing malware embedded in "UAParser.js," a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to get rid of three rogue packages that...
Regular Expression Denial Of Service (ReDoS)
ua-parser-js is vulnerable to regular expression denial of service ReDoS. The vulnerability exists because the string parser does not use proper regular expressions to filter out malicious strings passing to it...
ljharb's qs module input validation vulnerability
A web framework is a framework used to support the development of dynamic websites, web applications, and web services. qs module is a string query parsing module used by developers when building web frameworks. A denial of service vulnerability exists in ljharb's qs module. An attacker could...