Qs, a popular npm package for parsing and stringifying URL query strings with support for nested objects and arrays, saw a minor update with the release of version 2.3.3, following the previous stable version 2.3.2. Both versions share the core functionality of providing a flexible and powerful querystring parser suitable for handling complex data structures within URLs. A key difference lies in their development dependencies. Version 2.3.3 upgraded the "lab" testing framework dependency to the 5.x.x series and introduced "code" a testing framework as a new development dependency at version 1.x.x. While version 2.3.2 relied solely on "lab" in the 4.x.x series. This suggests an evolution in the testing methodologies employed during the development process, potentially indicating enhanced code quality and test coverage in the newer version, 2.3.3. For developers using qs, this means a potentially more robust and reliable library. It's also worth noting that version 2.3.3 was released on November 14, 2014, a couple of weeks after version 2.3.2, released on October 28, 2014. This information is valuable for developers managing dependencies and seeking stable, well-tested querystringparsing solutions for their projects. Consider the updated testing framework as a good reason to upgrade your dependency to the latest version. These updates likely contribute to maintainability and stability.
All the vulnerabilities related to the version 2.3.3 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
