The npm package qs provides a robust querystring parsing solution for JavaScript environments, enabling developers to easily handle nested objects and arrays within URL query parameters. Versions 2.2.1 and 2.2.2, while appearing similar at first glance, offer subtle yet important distinctions for developers to consider. Both iterations maintain the core functionality of parsing complex querystrings with configurable depth limits, ensuring consistent behavior in handling nested data structures. Both versions share the same dependencies (none) and development dependencies ("lab":"3.x.x"), suggesting a focus on testing and stability.
The key difference lies in their release dates. Version 2.2.2 was published on August 29, 2014, approximately one day after version 2.2.1, released on August 28, 2014. While the changelog isn't provided, this 1-day gap likely indicates a bug fix, minor improvement, or patch addressing an issue discovered shortly after the initial 2.2.1 release.
For developers, this signifies a potentially more refined and stable experience with version 2.2.2. It's recommended to opt for the latest patch version (2.2.2 in this case) when integrating qs into a project. Even without explicit details about the changes, the quick succession suggests a reactive response to address any immediate problems. When incorporating qs for a new project or evaluating an upgrade, prioritizing 2.2.2 is advisable to benefit from potential enhancements and fixes. This package aids server-side (Node.js) and client-side javascript applications!
All the vulnerabilities related to the version 2.2.2 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
