qs is a popular npm package used for parsing and stringifying URL query strings, offering robust support for nested objects and arrays. Version 2.2.3 builds upon the foundation of version 2.2.2, providing developers with a reliable tool to manipulate complex query parameters. Examining the differences reveals a subtle but notable shift in the development dependencies. Specifically, version 2.2.3 upgrades the lab testing framework dependency from the '3.x.x' series to '4.x.x'. This suggests potential improvements in the testing suite, possibly covering more edge cases or benefiting from enhanced testing capabilities offered by the newer lab version.
While the core functionality exposed to developers remains largely the same between these two versions, the updated testing framework hints at a commitment to quality and stability. For developers already using qs, upgrading to 2.2.3 is likely a safe bet, potentially benefiting from indirect improvements stemming from the enhanced testing. The library continues to be authored by Nathan LaFreniere and maintained under the hapijs GitHub repository, ensuring a level of community backing and continued maintenance. Both versions provide the same core functionality; the choice between them hinges on whether the developer prioritizes the slightly newer testing infrastructure.
All the vulnerabilities related to the version 2.2.3 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
