CVE-2014-7191 — Uncontrolled Resource Consumption in Node.js

CWE-399 CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.7%

top 28.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QS Project QS Nodejs Node.js

Timeline

PublishedOct 19

Latest updateOct 24

Description

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDnodejs/node.js0.10.18

▶npmqs_project/qs< 1.0.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Denial-of-Service Memory Exhaustion in qs↗2017-10-24

▶

GHSA

Denial-of-Service Memory Exhaustion in qs↗2017-10-24

▶

OSV

CVE-2014-7191: The qs module before 1↗2014-10-19

▶

CVEList

CVE-2014-7191: The qs module before 1↗2014-10-19

▶

📋Vendor Advisories

Red Hat

nodejs-qs: Denial-of-Service Memory Exhaustion↗2014-08-06

▶

Debian

CVE-2014-7191: node-qs - The qs module before 1.0.0 in Node.js does not call the compact function for arr...↗2014

▶

💬Community

Bugzilla

CVE-2014-7191 nodejs-qs: Denial-of-Service Memory Exhaustion↗2014-09-24

▶