Qs is a querystring parser library available on npm. Version 0.0.3, released on February 9th, 2011, offers a minor update over version 0.0.2, which was released just two days prior, on February 7th, 2011. Both versions maintain the same core functionality: parsing querystrings. They share identical descriptions, declaring themselves simply as "querystring parser." The author remains consistent: TJ Holowaychuk, with the same contact information.
Fundamentally, if you're already using qs for basic querystring parsing, the upgrade from 0.0.2 to 0.0.3 represents a very incremental improvement; given the rapid release cycle, the changes were likely small bug fixes or internal improvements. While specific distinctions between the versions aren't detailed in the metadata provided, the update suggests a commitment to maintaining and refining the core functionality. Developers considering qs for their project should note that these early versions provide a foundational querystring parsing capability. Since these versions are quite old, developers should consider using newer, actively maintained versions of the library, as those will invariably include bug fixes, security patches, and performance enhancements. Check for the latest version and assess changelogs available on npm or the project's corresponding repository.
All the vulnerabilities related to the version 0.0.3 of the package
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
