Body-parser is a crucial Node.js middleware for effortlessly handling request bodies. Examining versions 1.6.6 and 1.6.7 reveals subtle but important updates concerning dependency management. The core functionality, centered around parsing incoming request bodies in various formats like JSON, URL-encoded, and raw text, remains consistent. However, version 1.6.7 incorporates a key update: the qs dependency is bumped from version 2.2.0 to 2.2.2. This seemingly minor change could address specific bug fixes or performance improvements within the qs library related to query string parsing. Developers leveraging body-parser should note this update, as it potentially enhances the reliability and efficiency of handling complex query parameters within their applications. Both versions share the same core dependencies like depd, bytes, type-is, raw-body, iconv-lite, media-typer, and on-finished, ensuring backwards compatibility in general parsing operations. Development dependencies like mocha, should, istanbul and supertest are identical, indicating consistent testing and code coverage practices between the releases. The upgrade from 1.6.6 to 1.6.7 is likely a patch release focused on enhancing dependency stability, reinforcing body-parser as a dependable and well-maintained tool for Node.js developers. Considering the small jump in version number, developers can upgrade without anticipating major breaking changes, while benefiting from potential enhancements embedded within the updated qs dependency.
All the vulnerabilities related to the version 1.6.7 of the package
body-parser vulnerable to denial of service when url encoding is enabled
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
this issue is patched in 1.20.3
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
