Vulnerability	Vulnerable Version
H Prototype Poisoning qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Prototype Poisoning which allows attackers to cause a Node process to hang, processing an Array object whose prototype has been replaced by one with an excessive length value. Note: In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as `a[__proto__]=b&a[__proto__]&a[length]=100000000`. How to fix Prototype Poisoning? Upgrade `qs` to version 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3 or higher.	<6.2.4>=6.3.0 <6.3.3>=6.4.0 <6.4.1>=6.5.0 <6.5.3>=6.6.0 <6.6.1>=6.7.0 <6.7.3>=6.8.0 <6.8.3>=6.9.0 <6.9.7>=6.10.0 <6.10.3

Prototype Poisoning

qs is a querystring parser that supports nesting and arrays, with a depth limit.

Affected versions of this package are vulnerable to Prototype Poisoning which allows attackers to cause a Node process to hang, processing an Array object whose prototype has been replaced by one with an excessive length value.

Note: In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000.

How to fix Prototype Poisoning?

Upgrade qs to version 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, 6.10.3 or higher.

<6.2.4>=6.3.0 <6.3.3>=6.4.0 <6.4.1>=6.5.0 <6.5.3>=6.6.0 <6.6.1>=6.7.0 <6.7.3>=6.8.0 <6.8.3>=6.9.0 <6.9.7>=6.10.0 <6.10.3

Go back to all versions of this package