Qs Project Qs vulnerabilities

6 known vulnerabilities affecting qs_project/qs.

Total CVEs

6

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH4MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2026-2391MEDIUMCVSS 6.3≥ 6.7.0, < 6.14.22026-02-12

CVE-2026-2391 [MEDIUM] CVE-2026-2391: ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `c ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284). ### Details When the `comma`

CVE-2025-15284MEDIUMCVSS 6.3fixed in 6.14.12025-12-29

CVE-2025-15284 [MEDIUM] CWE-20 CVE-2025-15284: Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default

CVE-2022-24999HIGHCVSS 7.5fixed in 6.2.4≥ 6.3.0, < 6.3.3+7 more2022-11-26

CVE-2022-24999 [HIGH] CWE-1321 CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a N qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application,

CVE-2014-10064HIGHCVSS 7.5fixed in 1.0.02018-05-31

CVE-2014-10064 [HIGH] CWE-400 CVE-2014-10064: The qs module before 1.0.0 does not have an option or default for specifying object depth and when p The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be proc

CVE-2014-7191HIGH≥ 0, < 1.0.02017-10-24

CVE-2014-7191 [HIGH] CWE-400 Denial-of-Service Memory Exhaustion in qs Denial-of-Service Memory Exhaustion in qs Versions prior to 1.0 of `qs` are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing. ## Recommendation Update to version 1.0.0 or later.

CVE-2017-1000048HIGHCVSS 7.5v1.0.0v1.0.1+28 more2017-07-17

CVE-2017-1000048 [HIGH] CWE-20 CVE-2017-1000048: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerab the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.