Qs is a popular npm package designed for parsing and stringifying URL query strings, offering robust support for nested objects and arrays. Versions 2.3.0 and 2.3.1 represent a minor iteration in the library's development, primarily focusing on incremental improvements and bug fixes rather than introducing significant new features.
Both versions share the same fundamental capabilities: parsing complex query strings into JavaScript objects and vice versa, with a configurable depth limit to prevent potential denial-of-service vulnerabilities. They have no mandatory dependencies, making them lightweight and easy to integrate into projects. Developers benefit from the ability to handle deeply nested data structures within URL parameters seamlessly, a crucial feature for modern web applications. The reliance on lab for development dependencies ensures stability and testability.
While the descriptions of both versions are identical, indicating no substantial change from a high-level perspective, one notable difference resides in their release dates. Version 2.3.1 was published just a day after 2.3.0, suggesting that the update likely addresses a minor bug or edge-case discovered shortly after the initial release. For developers considering qs, opting for version 2.3.1 is generally recommended, as it likely incorporates the latest refinements and potential fixes, ensuring a slightly more stable experience. The github repository serves as the primary source for detailed changelogs if any developer needs to investigate further.
All the vulnerabilities related to the version 2.3.1 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
