Skip to main content

qs CVE-2026-8723

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-17 7ffcee3d-2c14-4c3e-b844-86c6a321a158 GHSA-q8mj-m7cp-5q26
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 17, 2026 - 00:27 vuln.today
Analysis Generated
May 17, 2026 - 00:27 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 706 npm packages depend on qs (135 direct, 584 indirect)

Ecosystem-wide dependent count for version 6.11.1.

DescriptionCVE.org

Summary

qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options (skipNulls, strictNullHandling).

Details

In the comma + encodeValuesOnly branch, lib/stringify.js:145 mapped the array through the raw encoder before joining:

js



obj = utils.maybeMap(obj, encoder);


utils.encode (lib/utils.js:195) reads str.length with no null guard, so a null or undefined element throws TypeError. skipNulls and strictNullHandling are both checked in the per-element loop below this line and never get a chance to run.

Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + encodeValuesOnly branch was introduced in 4c4b23d ("encode comma values more consistently", PR #463, 2023-01-19), first released in v6.11.1.

PoC
js



const qs = require('qs');



qs.stringify({ a: [null, 'b'] },      { arrayFormat: 'comma', encodeValuesOnly: true });



qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });



qs.stringify({ a: [null] },           { arrayFormat: 'comma', encodeValuesOnly: true });



// TypeError: Cannot read properties of null (reading 'length')



//     at encode (lib/utils.js:195:13)



//     at Object.maybeMap (lib/utils.js:322:37)



//     at stringify (lib/stringify.js:145:25)


Fix

lib/stringify.js:145, applied in 21f80b3 on main and released as v6.15.2:

diff



- obj = utils.maybeMap(obj, encoder);



+ obj = utils.maybeMap(obj, function (v) {



+     return v == null ? v : encoder(v);



+ });


null and undefined now pass through maybeMap unchanged and reach the join(',') step as-is. For { a: [null, 'b'] } this produces a=,b, matching the non-encodeValuesOnly comma path (which already joins before encoding and produces a=%2Cb for the same input). Single-element [null] arrays still collapse via the existing obj.join(',') || null and remain subject to skipNulls / strictNullHandling in the main loop.

Affected versions

>=6.11.1 <6.15.2 - fixed in v6.15.2.

The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions - including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 - implemented the comma + encodeValuesOnly path differently (joining before encoding) and are not affected. Empirically verified across released versions.

Impact

Application code that calls qs.stringify with both arrayFormat: 'comma' and encodeValuesOnly: true (both non-default) on input that may contain a null or undefined array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.

The vulnerable input is a null or undefined entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal null).

AnalysisAI

The qs Node.js library (versions 6.11.1 through 6.15.1) crashes with a synchronous TypeError when stringify is called with both arrayFormat: 'comma' and encodeValuesOnly: true on arrays containing null or undefined elements. Applications using these non-default options together will experience request failures (typically 500 errors in web frameworks) when processing user input with null array values. The vulnerability was introduced in commit 4c4b23d (PR #463, January 2023) and patched in v6.15.2 (commit 21f80b3). No public exploit or CISA KEV listing identified at time of analysis, though exploitation requires only crafting JSON input with null array elements.

Technical ContextAI

The qs library implements RFC 3986 query string encoding/decoding for Node.js applications. The vulnerable code path occurs in lib/stringify.js:145 when the comma array format (which serializes arrays as a=1,2,3 instead of a[]=1&a[]=2) is combined with encodeValuesOnly mode (which skips encoding parameter names). In this configuration, the code calls utils.maybeMap(obj, encoder) which attempts to read the length property of each array element before joining them with commas. The encoder function (utils.encode at lib/utils.js:195) accesses str.length without null guards, triggering 'Cannot read properties of null (reading length)' when encountering null or undefined. The bug represents CWE-476 (NULL Pointer Dereference) adapted to JavaScript's dynamic typing - attempting to access properties on null/undefined values. The existing null-handling options (skipNulls, strictNullHandling) are evaluated later in the processing pipeline and never execute because the synchronous throw occurs first. This is the same vulnerability class previously fixed in the filter-array path (commit 0c180a4), indicating a pattern of incomplete null validation across different code branches handling the comma array format.

Affected ProductsAI

The qs library for Node.js versions 6.11.1 through 6.15.1 inclusive. The vulnerable code was introduced in commit 4c4b23d (pull request #463, January 19 2023) and first released in v6.11.1. Earlier versions including all 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 releases use a different implementation (joining before encoding) and are NOT affected. Vendor advisory available at https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26 with fix details at https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41.

RemediationAI

Upgrade to qs v6.15.2 or later, released February 2025, which applies the fix from commit 21f80b3. The patch wraps array elements in a null-checking lambda before encoding: obj = utils.maybeMap(obj, function (v) { return v == null ? v : encoder(v); }) so null/undefined values pass through unchanged to the join step. See vendor advisory at https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26 for complete patch details. If immediate upgrade is not feasible, apply one of these workarounds with noted trade-offs: (1) Remove encodeValuesOnly: true from stringify calls and accept that parameter names will be percent-encoded (changes output format but eliminates crash). (2) Pre-filter arrays to remove null/undefined before passing to qs.stringify using array.filter(v => v != null) (adds processing overhead and silently drops null values that may have semantic meaning). (3) Switch to a different arrayFormat option like 'brackets' or 'indices' (changes query string format, may break API consumers expecting comma-delimited arrays). (4) Add application-level try-catch around qs.stringify calls to convert TypeError to controlled error response (does not prevent 500 errors, only allows custom error handling). Option 1 is safest if comma-delimited output is not strictly required.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-8723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy