qs is a popular npm package designed for parsing and stringifying URL query strings, offering robust support for nested objects and arrays within the query. Versions 2.2.3 and 2.2.4 represent closely related iterations of this library, primarily intended for developers working with URL manipulation in Node.js and browser environments. Examining these versions reveals subtle differences, with version 2.2.4 released approximately two weeks after 2.2.3, on September 18, 2014. Both versions share the same core functionality, dependencies (or lack thereof), development dependencies using the lab testing framework, and maintainer/author information. The repository URL indicates the project is hosted under the hapijs GitHub organization, suggesting a connection to the hapi.js web framework. For developers, the critical aspect is the library's ability to handle complex query string structures beyond simple key-value pairs, accommodating nested data with a defined depth limit. Potential improvements in version 2.2.4 over 2.2.3 likely involve bug fixes, performance enhancements, or minor adjustments to internal logic, though specific details require further investigation of the code changes between the releases. While the release notes don't give any details, if upgrading from 2.2.3 to 2.2.4 is worth doing depends on whether the older version is exhibiting any problems, given the lack of any dependency changes between the versions. New users can expect both versions to deliver a dependable query string parsing experience.
All the vulnerabilities related to the version 2.2.4 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
