Skip to content

Update dependency qs to v6.14.1 [SECURITY] #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency qs to v6.14.1 [SECURITY] #16

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented May 28, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
qs 6.9.06.14.1 age confidence

GitHub Vulnerability Alerts

CVE-2022-24999

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

CVE-2025-15284

Summary

The arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.

Details

The arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoC

Test 1 - Basic bypass:

npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Test 2 - DoS demonstration:

const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)

Configuration:

  • arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
  • Use bracket notation: a[]=value (not indexed a[0]=value)

Impact

Denial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.

Attack scenario:

  1. Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
  2. Application parses with qs.parse(query, { arrayLimit: 100 })
  3. qs ignores limit, parses all 100,000 elements into array
  4. Server memory exhausted → application crashes or becomes unresponsive
  5. Service unavailable for all users

Real-world impact:

  • Single malicious request can crash server
  • No authentication required
  • Easy to automate and scale
  • Affects any endpoint parsing query strings with bracket notation

Suggested Fix

Add arrayLimit validation to the bracket notation handler. The code already calculates currentArrayLength at line 147-151, but it's not used in the bracket notation handler at line 159.

Current code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
        ? []
        : utils.combine([], leaf);  // No arrayLimit check
}

Fixed code:

if (root === '[]' && options.parseArrays) {
    // Use currentArrayLength already calculated at line 147-151
    if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
        throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
    }
    
    // If limit exceeded and not throwing, convert to object (consistent with indexed notation behavior)
    if (currentArrayLength >= options.arrayLimit) {
        obj = options.plainObjects ? { __proto__: null } : {};
        obj[currentArrayLength] = leaf;
    } else {
        obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
            ? []
            : utils.combine([], leaf);
    }
}

This makes bracket notation behaviour consistent with indexed notation, enforcing arrayLimit and converting to object when limit is exceeded (per README documentation).

Release Notes

ljharb/qs (qs)

v6.14.1

Compare Source

  • [Fix] ensure arrayLength applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

v6.14.0

Compare Source

  • [New] parse: add throwOnParameterLimitExceeded option (#​517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

v6.13.1

Compare Source

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup
  • [Tests] utils.merge: add some coverage
  • [Tests] fix a test case
  • [actions] split out node 10-20, and 20+
  • [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

v6.13.0

Compare Source

  • [New] parse: add strictDepth option (#​511)
  • [Tests] use npm audit instead of aud

v6.12.3

Compare Source

  • [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
  • [meta] fix changelog indentation

v6.12.2

Compare Source

  • [Fix] parse: parse encoded square brackets (#​506)
  • [readme] add CII best practices badge

v6.12.1

Compare Source

  • [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#​501)
  • [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#​502)
  • [Refactor] utils: use +=
  • [Tests] increase coverage

v6.12.0

Compare Source

  • [New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (#​488)
  • [New] parse: add duplicates option
  • [New] parse/stringify: add allowEmptyArrays option to allow [] in object values (#​487)
  • [Refactor] parse/stringify: move allowDots config logic to its own variable
  • [Refactor] stringify: move option-handling code into normalizeStringifyOptions
  • [readme] update readme, add logos (#​484)
  • [readme] stringify: clarify default arrayFormat behavior
  • [readme] fix line wrapping
  • [readme] remove dead badges
  • [Deps] update side-channel
  • [meta] make the dist build 50% smaller
  • [meta] add sideEffects flag
  • [meta] run build in prepack, not prepublish
  • [Tests] parse: remove useless tests; add coverage
  • [Tests] stringify: increase coverage
  • [Tests] use mock-property
  • [Tests] stringify: improve coverage
  • [Dev Deps] update @ljharb/eslint-config , aud, has-override-mistake, has-property-descriptors, mock-property, npmignore, object-inspect, tape
  • [Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6

v6.11.2

Compare Source

  • [Fix] parse: Fix parsing when the global Object prototype is frozen (#​473)
  • [Tests] add passing test cases with empty keys (#​473)

v6.11.1

Compare Source

  • [Fix] stringify: encode comma values more consistently (#​463)
  • [readme] add usage of filter option for injecting custom serialization, i.e. of custom types (#​447)
  • [meta] remove extraneous code backticks (#​457)
  • [meta] fix changelog markdown
  • [actions] update checkout action
  • [actions] restrict action permissions
  • [Dev Deps] update @ljharb/eslint-config, aud, object-inspect, tape

v6.11.0

Compare Source

  • [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#​442)
  • [readme] fix version badge

v6.10.5

Compare Source

  • [Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#​434)

v6.10.4

Compare Source

  • [Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#​441)
  • [meta] use npmignore to autogenerate an npmignore file
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

v6.10.3

Compare Source

  • [Fix] parse: ignore __proto__ keys (#​428)
  • [Robustness] stringify: avoid relying on a global undefined (#​427)
  • [actions] reuse common workflows
  • [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

v6.10.2

Compare Source

  • [Fix] stringify: actually fix cyclic references (#​426)
  • [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#​424)
  • [readme] remove travis badge; add github actions/codecov badges; update URLs
  • [Docs] add note and links for coercing primitive values (#​408)
  • [actions] update codecov uploader
  • [actions] update workflows
  • [Tests] clean up stringify tests slightly
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

v6.10.1

Compare Source

  • [Fix] stringify: avoid exception on repeated object values (#​402)

v6.10.0

Compare Source

  • [New] stringify: throw on cycles, instead of an infinite loop (#​395, #​394, #​393)
  • [New] parse: add allowSparse option for collapsing arrays with missing indices (#​312)
  • [meta] fix README.md (#​399)
  • [meta] only run npm run dist in publish, not install
  • [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape
  • [Tests] fix tests on node v0.6
  • [Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run
  • [Tests] Revert "[meta] ignore eclint transitive audit warning"

v6.9.7

Compare Source

  • [Fix] parse: ignore __proto__ keys (#​428)
  • [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#​424)
  • [Robustness] stringify: avoid relying on a global undefined (#​427)
  • [readme] remove travis badge; add github actions/codecov badges; update URLs
  • [Docs] add note and links for coercing primitive values (#​408)
  • [Tests] clean up stringify tests slightly
  • [meta] fix README.md (#​399)
  • Revert "[meta] ignore eclint transitive audit warning"
  • [actions] backport actions from main
  • [Dev Deps] backport updates from main

v6.9.6

Compare Source

  • [Fix] restore dist dir; mistakenly removed in d4f6c32

v6.9.5

Compare Source

  • [Fix] stringify: do not encode parens for RFC1738
  • [Fix] stringify: fix arrayFormat comma with empty array/objects (#​350)
  • [Refactor] format: remove util.assign call
  • [meta] add "Allow Edits" workflow; update rebase workflow
  • [actions] switch Automatic Rebase workflow to pull_request_target event
  • [Tests] stringify: add tests for #​378
  • [Tests] migrate tests to Github Actions
  • [Tests] run nyc on all tests; use tape runner
  • [Dev Deps] update eslint, @ljharb/eslint-config, browserify, mkdirp, object-inspect, tape; add aud

v6.9.4

Compare Source

  • [Fix] stringify: when arrayFormat is comma, respect serializeDate (#​364)
  • [Refactor] stringify: reduce branching (part of #​350)
  • [Refactor] move maybeMap to utils
  • [Dev Deps] update browserify, tape

v6.9.3

Compare Source

  • [Fix] proper comma parsing of URL-encoded commas (#​361)
  • [Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#​336)

v6.9.2

Compare Source

  • [Fix] parse: Fix parsing array from object with comma true (#​359)
  • [Fix] parse: throw a TypeError instead of an Error for bad charset (#​349)
  • [meta] ignore eclint transitive audit warning
  • [meta] fix indentation in package.json
  • [meta] add tidelift marketing copy
  • [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, has-symbols, tape, mkdirp, iconv-lite
  • [actions] add automatic rebasing / merge commit blocking

v6.9.1

Compare Source

  • [Fix] parse: with comma true, handle field that holds an array of arrays (#​335)
  • [Fix] parse: with comma true, do not split non-string values (#​334)
  • [meta] add funding field
  • [Dev Deps] update eslint, @ljharb/eslint-config
  • [Tests] use shared travis-ci config

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch 2 times, most recently from a343381 to d2addd4 Compare October 15, 2023 15:14
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from d2addd4 to 8d5cb17 Compare October 22, 2023 12:45
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch 2 times, most recently from 743c48f to e9842e9 Compare February 4, 2024 11:02
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from e9842e9 to 6a4f46f Compare February 25, 2024 10:17
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 6a4f46f to ca3a94f Compare March 12, 2024 12:55
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from ca3a94f to b3068c7 Compare April 14, 2024 12:18
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from b3068c7 to 15d0a8b Compare June 28, 2024 06:59
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 15d0a8b to 856be6a Compare July 21, 2024 12:39
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 856be6a to a9d1d73 Compare August 6, 2024 10:08
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from a9d1d73 to d1997bd Compare December 2, 2024 09:59
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from d1997bd to deb8767 Compare January 23, 2025 20:33
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from deb8767 to 5907b40 Compare February 9, 2025 12:36
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 5907b40 to 63e496b Compare March 3, 2025 18:13
@renovate renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 63e496b to 7786ff8 Compare December 31, 2025 15:30
@renovate renovate bot changed the title Update dependency qs to v6.9.7 [SECURITY] Update dependency qs to v6.14.1 [SECURITY] Dec 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant