5 matches found
CVE-2022-24999
CVE-2022-24999 affects the qs library prior to 6.10.3 used by Express before 4.17.3, enabling prototype poisoning via a[proto ] in query strings that can hang a Node process. An unauthenticated remote attacker can place the payload in the URL query. The advisory notes backported fixes to qs versi...
CVE-2025-15284
CVE-2025-15284 is a vulnerability in the qs library (parse modules) where the arrayLimit check does not apply to bracket notation (a[]=...) as in the vulnerable code path (lib/parse.js:159-162). The issue enables potential DoS via memory exhaustion by creating larger-than-expected arrays, though ...
CVE-2017-1000048
CVE-2017-1000048 applies to ljharb’s qs module; older versions v6.0.4, v6.1.2, v6.2.3 and v6.3.1 (i.e., older than v6.3.2) are vulnerable to a DoS where a malicious request can crash the application. The connected documents corroborate a Denial of Service impact via input handling in qs, and indi...
CVE-2026-2391
CVE-2026-2391 : The qs library vulnerability arises when using comma parsing (comma: true). The code bypasses the arrayLimit check by returning val.split(',') before the limit, allowing creation of very large arrays from a single parameter (e.g., ?param=a,b,c with a high density of commas). This ...
CVE-2014-10064
CVE-2014-10064 affects the qs module prior to 1.0.0. The vulnerability causes excessive recursion/looping when parsing deeply nested objects, blocking the Node.js event loop and enabling a temporary denial-of-service in web applications. Affected component: qs (used for parsing strings/JSON). Roo...