Qs is a popular npm package designed for parsing and stringifying URL query strings, offering robust support for nested objects and arrays. Versions 2.2.0 and 2.2.1 represent closely related releases, primarily differing in their release dates. Version 2.2.0 was released on August 27, 2014, while version 2.2.1 followed shortly after on August 28, 2014. Both versions share the same core functionality, providing a querystring parser capable of handling complex data structures within URLs, complete with customizable depth limits to prevent potential issues. The developer dependencies, specifically "lab":"3.x.x", indicate the testing framework used, remaining consistent across both versions. The consistent repository details point to the hapijs/qs GitHub repository, ensuring developers know where to find the source code and contribute. The author, Nathan LaFreniere, remains the same, indicating no change in maintainership. While the difference between these versions might be minimal (possibly bug fixes or minor improvements), developers should always refer to the changelog or release notes on the GitHub repository to understand the precise changes implemented in version 2.2.1 compared to 2.2.0. For new projects, using the latest stable version of 'qs' is generally recommended to benefit from the latest features and any bug fixes.
All the vulnerabilities related to the version 2.2.1 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
