Qs is a lightweight and efficient querystring parsing library for Node.js and browsers. Version 0.0.5 arrived hot on the heels of version 0.0.4, marking a rapid iteration in the early stages of development. Both versions share the same core functionality: parsing and stringifying URL query strings. The library is authored by TJ Holowaychuk, known for other popular JavaScript tools, indicating a focus on quality and utility. While the release notes are unavailable to pinpoint exact changes between the two versions, the minimal version bump (0.0.4 to 0.0.5) strongly suggests bug fixes, performance improvements, or minor API tweaks rather than substantial feature additions. Developers contemplating using qs should consider that these are very early releases. Despite their age and potentially unmaintained status, the core functionality of parsing querystrings will be consistently useful. However, for robust applications, carefully assess the library against modern alternatives offering more features, security updates, and active community support. The library's small size and targeted functionality will still be relevant in some scenarios where minimial dependencies are critical. It's important to check if these old releases are vulnerable, before deciding on using it.
All the vulnerabilities related to the version 0.0.5 of the package
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
