You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
qs vulnerability
About this tag
The qs vulnerability tag covers security flaws in the popular Node.js query-string parser library. Discussions focus on prototype pollution (CVE-2022-24999) and denial-of-service via bracket notation (CVE-2025-15284). These vulnerabilities allow attackers to craft malicious query strings that bypass array-size limits or modify object prototypes, leading to memory exhaustion or application hangs. Patches are available in qs versions 6.10.3 and 6.14.1, with fixes backported to Express.js. Topics include technical root causes, exploitation vectors, and mitigation steps for Node.js applications that parse untrusted query strings.
The qs library’s quietly dangerous prototype‑pollution bug — tracked as CVE‑2022‑24999 — is a textbook example of how a tiny parser behavior can cascade into a network‑accessible denial‑of‑service for Node.js applications. The flaw allowed an attacker to use a specially crafted query string (for...
A newly assigned CVE, CVE-2025-15284, exposes a subtle but impactful logic hole in the popular Node.js query-string parser package qs that allows attackers to bypass configured array-size limits and trigger denial-of-service (DoS) through memory exhaustion when requests use bracket notation...