Qs is a popular npm package designed for parsing and stringifying URL query strings with advanced features. These two versions, 1.2.0 and 1.2.1, represent a minor update in the library's development. Both versions share the same core functionality: providing a robust querystring parser that handles nested objects and arrays within URLs, a capability often lacking in simpler querystring implementations. This makes qs especially valuable for developers working with complex data structures in URL parameters.
The primary distinction between the versions lies in their release dates, with version 1.2.1 released approximately two days after 1.2.0. While the provided data does not explicitly detail the changes included in 1.2.1, it's common for minor version updates to address bug fixes, performance improvements, or minor feature enhancements. Developers using qs should consider upgrading to the latest minor version (1.2.1 in this case) to benefit from these potential improvements and ensure they are using the most stable and reliable version of the library. Both versions list "lab" as a devDependency, suggesting that the library is tested using the Lab testing framework. The package is authored by Nathan LaFreniere and maintained on GitHub, signaling an open and community-driven approach to development. If considering using this library, one should examine the changelog that is generally available in the git repository for fine grained details about the quality improvements and solved bugs.
All the vulnerabilities related to the version 1.2.1 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
