Qs is a popular npm package designed for parsing and stringifying URL query strings. Versions 0.5.4 and 0.5.5 represent incremental improvements to this essential utility. While the core functionality remains consistent—parsing complex query strings into JavaScript objects and serializing objects back into query strings—the revisions likely address bug fixes, performance enhancements, or minor feature tweaks.
Developers using qs for their projects should note the release dates: version 0.5.5 was released on March 20, 2013, just five days after version 0.5.4 (March 15, 2013). This short interval suggests the fixes or improvements in v0.5.5 are focused and important, perhaps due to specific issues found in v0.5.4. Both iterations, however, leverage mocha and expect.js for testing, suggesting a robust and well-tested codebase. The author, TJ Holowaychuk, is the same for both, linking to his website. The repository URL is consistent, which indicates no substantial restructuring occurred between versions. For developers consuming this package, testing the upgrade from 0.5.4 to 0.5.5 in your own environment would be valuable to verify if the changes resolve any issues specific to given environments.
All the vulnerabilities related to the version 0.5.5 of the package
Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
Update to version 1.0.0 or later
Denial-of-Service Memory Exhaustion in qs
Versions prior to 1.0 of qs are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.
Update to version 1.0.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
