Qs is a popular npm package designed for parsing and stringifying URL query strings with advanced features such as nesting and array support, all while respecting a configurable depth limit. Versions 6.2.1 and 6.2.2 share the same core functionality and development dependencies, including tools for testing, code coverage (tape, covert), linting (eslint), documentation (evalmd), and building browser-compatible versions (browserify). Both versions are licensed under the BSD-3-Clause license and the code is stored in the same repository.
The key difference lies in their release dates. Version 6.2.1 was published in July 2016, whereas version 6.2.2 was released in February 2017. As a result this makes qs 6.2.2 have all the bug fixes and newer functionalities that may have been added as a result of community contribution.
Developers using qs can leverage its capabilities to handle complex query strings effectively, and these two versions provide a stable base for that. While the core functionality remains the same, upgrading to version 6.2.2 ensures they benefit from any bug fixes and improvements made since the previous release, contributing to a potentially more stable and reliable experience. When using this library, developers are encouraged to consider using the more updated version of the two due to the support that it has received from the open source community.
All the vulnerabilities related to the version 6.2.2 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
