Qs is a popular npm package designed for parsing and stringifying URL query strings with advanced features like nesting and array support. Version 6.3.0, released in October 2016, offered a stable solution with dependencies like tape for testing, covert for code coverage, and eslint for linting. Developers relying on older Node.js versions might find this version suitable due to its older dependency requirements.
However, version 6.2.4, released in January 2022, represents a significant shift with substantial upgrades in its development dependencies. It incorporates a newer testing framework (tape version 5.4.0), code coverage tool (nyc), and a more modern linting setup (eslint version 8.6.0, along with @ljharb/eslint-config version 20.1.0). These newer development dependencies usually imply better code quality, enhanced security checks, and adherence to more modern JavaScript standards. Additionally, it includes safer-buffer for safer buffer handling, addressing potential security concerns.
While both versions provide the core querystring parsing functionality, developers should prefer version 6.2.4 for its improved security features, adherence to current coding standards due to upgraded linting configurations, and potentially better performance arising from improvements in its dependencies compared to the older toolchain in version 6.3.0. The significant updates across the board indicate a dedication to maintaining a high-quality, secure, and modern library.
All the vulnerabilities related to the version 6.3.0 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
