The qs library, a querystring parser for Node.js and browsers, saw a minor version increment from 0.4.0 to 0.4.1, representing a refinement in its functionality. Both versions share the same core functionality: parsing and stringifying URL query strings. Developers using either version can rely on its ability to transform complex query strings into JavaScript objects and vice versa, enabling seamless data manipulation for web applications. Key features include handling nested objects and arrays within the query string format.
While the fundamental functionalities remained consistent, the update from 0.4.0 to 0.4.1, released on January 26, 2012, compared to November 22, 2011, likely included bug fixes, performance improvements, or edge-case handling enhancements. The absence of specific changelog details suggests that the changes were likely subtle refinements rather than major feature additions. Developers looking for the most stable and up-to-date version within the 0.4.x series would benefit from using 0.4.1. For developers needing a battle-tested library for URL querystring parsing, either version will provide the basic functionality they need, but 0.4.1 is recommended due to incremental improvements. Both versions are lightweight, depend on no other packages on install, and are easy to integrate into any project that needs to use or parse URL query strings.
All the vulnerabilities related to the version 0.4.1 of the package
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
