3 matches found
CVE-2022-24999
CVE-2022-24999 affects the qs library prior to 6.10.3 used by Express before 4.17.3, enabling prototype poisoning via a[proto ] in query strings that can hang a Node process. An unauthenticated remote attacker can place the payload in the URL query. The advisory notes backported fixes to qs versi...
CVE-2025-15284
CVE-2025-15284 is a vulnerability in the qs library (parse modules) where the arrayLimit check does not apply to bracket notation (a[]=...) as in the vulnerable code path (lib/parse.js:159-162). The issue enables potential DoS via memory exhaustion by creating larger-than-expected arrays, though ...
CVE-2014-10064
CVE-2014-10064 affects the qs module prior to 1.0.0. The vulnerability causes excessive recursion/looping when parsing deeply nested objects, blocking the Node.js event loop and enabling a temporary denial-of-service in web applications. Affected component: qs (used for parsing strings/JSON). Roo...