chore(deps): update dependency qs to v6.15.2 [security]#786
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency qs to v6.15.2 [security]#786renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
commit: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #786 +/- ##
=======================================
Coverage 94.65% 94.65%
=======================================
Files 10 10
Lines 730 730
Branches 228 228
=======================================
Hits 691 691
Misses 36 36
Partials 3 3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.15.1→6.15.2qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
CVE-2026-8723 / GHSA-q8mj-m7cp-5q26
More information
Details
Summary
qs.stringifythrowsTypeErrorwhen called witharrayFormat: 'comma'andencodeValuesOnly: trueon an array containingnullorundefined. The throw is synchronous and not handled by any of qs's null-related options (skipNulls,strictNullHandling).Details
In the comma +
encodeValuesOnlybranch,lib/stringify.js:145mapped the array through the raw encoder before joining:utils.encode(lib/utils.js:195) readsstr.lengthwith no null guard, so anullorundefinedelement throwsTypeError.skipNullsandstrictNullHandlingare both checked in the per-element loop below this line and never get a chance to run.Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma +
encodeValuesOnlybranch was introduced in 4c4b23d ("encode comma values more consistently", PR #463, 2023-01-19), first released in v6.11.1.PoC
Fix
lib/stringify.js:145, applied in 21f80b3 onmain:nullandundefinednow pass throughmaybeMapunchanged and reach thejoin(',')step as-is. For{ a: [null, 'b'] }this producesa=,b, matching the non-encodeValuesOnlycomma path (which already joins before encoding and producesa=%2Cbfor the same input). Single-element[null]arrays still collapse via the existingobj.join(',') || nulland remain subject toskipNulls/strictNullHandlingin the main loop.Affected versions
>=6.11.1 <=6.15.1The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma +
encodeValuesOnlypath differently (joining before encoding) and are not affected. Empirically verified across released versions.Impact
Application code that calls
qs.stringifywith botharrayFormat: 'comma'andencodeValuesOnly: true(both non-default) on input that may contain anullorundefinedarray element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.The vulnerable input is a
nullorundefinedentry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literalnull).Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
ljharb/qs (qs)
v6.15.2Compare Source
stringify: skip null/undefined entries inarrayFormat: 'comma'+encodeValuesOnlyinstead of crashing inencoderstringify: use configureddelimiteraftercharsetSentinel(#555)stringify: applyformatterto encoded key understrictNullHandling(#554)stringify: skip null/undefined filter-array entries instead of crashing inencoder(#551)parse: handle nested bracket groups and add regression tests (#530)@ljharb/eslint-configConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.