Qs is a popular npm package offering robust querystring parsing capabilities, handling nested objects and arrays with a configurable depth limit. Comparing versions 6.3.1 and 6.3.0, several key updates cater to developer needs. The most immediately noticeable change is the update of several dev dependencies. In the newer 6.3.1 version, tape is updated from version 4.6.2 to 4.6.3, and eslint receives a significant bump from version 3.8.0 to 3.15.0. Furthermore, browserify gets updated from version 13.1.0 to 14.1.0, iconv-lite from 0.4.13 to 0.4.15 and @ljharb/eslint-config from 8.0.0 to 11.0.0. qs-iconv also has a minor update, rising from 1.0.3 to 1.0.4. The core functionality of qs remains consistent between the two versions, continuing to efficiently parse and stringify querystrings, which means most users likely won't observe drastically different behavior. Developers should be aware of the changes if they use any of the devDependencies directly during development or testing, to ensure compatibility with their own tooling. Version 6.3.1 was released on February 16, 2017, signaling a continued commitment to maintenance and keeping development dependencies current. Ultimately, upgrading to version 6.3.1 offers the benefit of the latest development tools and potentially improved build processes.
All the vulnerabilities related to the version 6.3.1 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
