Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: qs
- Introduced through: express@4.21.2
Detailed paths
-
Introduced through: simorgh@bbc/simorgh#03b15f6108692edd829289411b78e21d154b709c › express@4.21.2 › qs@6.13.0Remediation: Upgrade to express@4.22.0.
-
Introduced through: simorgh@bbc/simorgh#03b15f6108692edd829289411b78e21d154b709c › express@4.21.2 › body-parser@1.20.3 › qs@6.13.0Remediation: Upgrade to express@4.22.0.
Overview
qs is a querystring parser that supports nesting and arrays, with a depth limit.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.
PoC
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Remediation
Upgrade qs to version 6.14.1 or higher.
References
medium severity
new
- Vulnerable module: qs
- Introduced through: express@4.21.2
Detailed paths
-
Introduced through: simorgh@bbc/simorgh#03b15f6108692edd829289411b78e21d154b709c › express@4.21.2 › qs@6.13.0Remediation: Upgrade to express@4.22.0.
-
Introduced through: simorgh@bbc/simorgh#03b15f6108692edd829289411b78e21d154b709c › express@4.21.2 › body-parser@1.20.3 › qs@6.13.0Remediation: Upgrade to express@4.22.0.
Overview
qs is a querystring parser that supports nesting and arrays, with a depth limit.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can exhaust system memory by submitting a parameter containing a large number of comma-separated values, resulting in the allocation of excessively large arrays.
Note:
This is only exploitable if the comma option is explicitly set to true. arrayLimit is properly enforced for index and bracket notation.
PoC
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {
const result = qs.parse(payload, options);
console.log(result.a.length); // Outputs: 26 (bypass successful)
} catch (e) {
console.log('Limit enforced:', e.message); // Not thrown
}
Remediation
Upgrade qs to version 6.14.2 or higher.