6.13.0
9 years ago
3 months ago
Known vulnerabilities in the org.webjars.npm:qs package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
org.webjars.npm:qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Prototype Poisoning which allows attackers to cause a Node process to hang, processing an Array object whose prototype has been replaced by one with an excessive length value. Note: In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as How to fix Prototype Poisoning? Upgrade | [,6.11.0) |
org.webjars.npm:qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Prototype Override Protection Bypass. By default From
Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more. In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with Example:
For more information, you can check out our blog. How to fix Prototype Override Protection Bypass? Upgrade | [,6.0.4)[6.1.0,6.1.2)[6.2.0,6.2.3)[6.3.0,6.3.2) |
org.webjars.npm:qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Denial of Service (DoS). When parsing a string representing a deeply nested object, qs will block the event loop for long periods of time. Such a delay may hold up the server's resources, keeping it from processing other requests in the meantime, thus enabling a Denial-of-Service attack. How to fix Denial of Service (DoS)? Upgrade | [,1.0.0) |
org.webjars.npm:qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Denial of Service (DoS).
During parsing, the How to fix Denial of Service (DoS)? Upgrade | [,1.0.0) |