Qs is a popular npm package designed for parsing and stringifying URL query strings. It excels at handling complex data structures within query strings, including nested objects and arrays, making it a valuable tool for web developers. The evolution from version 5.0.0 to 5.1.0 showcases a refinement of this already robust library. Looking at the package metadata, the core functionality, description ("A querystring parser that supports nesting and arrays, with a depth limit"), dependencies, devDependencies (lab, code, browserify) and license (BSD-3-Clause) remain consistent, suggesting a focus on internal improvements and bug fixes rather than radical new feature additions. The repository URL remains unchanged, pointing to the hapijs/qs GitHub repository. Comparing the releaseDate we can see that version 5.1.0 was released on '2015-09-11', approximately two weeks after version 5.0.0, released on '2015-08-27'. The primary difference between the two versions lies in subtle improvements or bug fixes encompassed within the minor version update. While the provided data lacks specific details on what these changes are, developers considering an upgrade should consult the changelog or release notes associated with version 5.1.0 if available. This small version jump suggests a more stable and refined query string parsing experience using qs. If you are using the previous version upgrading to the newest version should provide a more stable experience.
All the vulnerabilities related to the version 5.1.0 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
