Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package qs, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2022-24999 — CVSS 7.5 (high): qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express…
CVE-2017-1000048 — CVSS 7.5 (high): the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send…
CVE-2014-10064 — CVSS 7.5 (high): The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply…
CVE-2026-8723 — CVSS 5.3 (medium): ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing…
CVE-2014-7191 — CVSS 5.0 (medium): The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of…
CVE-2026-2391 — CVSS 3.7 (low): ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing…