Qs is a lightweight and simple querystring parser library for Node.js and browsers, designed for ease of use in handling URL query parameters. Versions 0.0.3 and 0.0.4, both released on February 9th, 2011, share the same core functionality and intent: parsing and stringifying URL query strings. Both versions are authored by TJ Holowaychuk and described as a "querystring parser". They are both very early versions of the library.
While the core functionality remains the same, version 0.0.4 was released approximately 20 hours after version 0.0.3, suggesting that 0.0.4 likely includes some minor fixes or improvements over its predecessor. It's important to acknowledge the proximity of their release dates for anyone choosing between them. For developers seeking a reliable solution for managing URL query strings, qs offers a foundational tool. However, given the age of these specific versions and the availability of more recent and actively maintained iterations of the qs library, developers might benefit from evaluating newer releases that incorporate bug fixes, performance enhancements, and potentially expanded feature sets.
The library's simplicity makes it easy to integrate into projects requiring querystring manipulation, but evaluating the historical context and the rapid succession of these early releases is advised when selecting a version. Modern versions are of course the recommended choice for new projects.
All the vulnerabilities related to the version 0.0.4 of the package
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
