qs — CVE history (npm)
qs
6 CVEs affect the qs npm package (highest CVSS 7.5). Latest disclosed: 2026-05-17. Full CVE history sourced from NVD.
Summary
- Package
qs(npm)- Total CVEs
6- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2026-05-17
Recent CVEs (top 6)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-8723 | Medium | 5.3 | — | 2026-05-17 | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. |
CVE-2026-2391 | Low | 3.7 | — | 2026-02-12 | ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. |
CVE-2025-15284 | Low | 3.7 | — | 2025-12-29 | Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. |
CVE-2022-24999 | High | 7.5 | — | 2022-11-26 | qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. |
CVE-2014-10064 | High | 7.5 | — | 2018-05-31 | The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. |
CVE-2017-1000048 | High | 7.5 | — | 2017-07-17 | the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. |
All-time worst (top 6 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-24999 | High | 7.5 | — | 2022-11-26 | qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. |
CVE-2014-10064 | High | 7.5 | — | 2018-05-31 | The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. |
CVE-2017-1000048 | High | 7.5 | — | 2017-07-17 | the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. |
CVE-2026-8723 | Medium | 5.3 | — | 2026-05-17 | ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. |
CVE-2026-2391 | Low | 3.7 | — | 2026-02-12 | ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. |
CVE-2025-15284 | Low | 3.7 | — | 2025-12-29 | Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. |