Qs is a popular npm package designed for parsing and stringifying URL query strings with support for nested objects and arrays. Versions 5.1.0 and 5.2.0, released in September and October of 2015 respectively, offer similar core functionality for developers needing robust querystring manipulation in their JavaScript applications. Both versions share the same BSD-3-Clause license and are maintained under the hapijs GitHub repository. The core description remains consistent: a querystring parser that supports nesting and arrays, complete with a depth limit to prevent excessive processing.
The primary distinction between the two versions lies in their release dates and potentially subtle bug fixes or performance enhancements introduced in version 5.2.0. While the provided metadata doesn't explicitly detail the changes, upgrading from 5.1.0 to 5.2.0 would generally be recommended to benefit from the latest improvements and stability patches available at the time. Developers using qs for complex querystring operations should consider the date of publication when evaluating each version in order to choose the latest stable code. The development dependencies, namely lab, code, and browserify, remains unchanged between the two releases, indicating no significant shift in the project's testing or build processes, and that the update may be a patch change.
All the vulnerabilities related to the version 5.2.0 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
