CVE-2017-1000048

Name of the Vulnerable Software and Affected Versions qs versions prior to 6.0.4 qs versions prior to 6.1.2 qs versions prior to 6.2.3 qs versions prior to 6.3.2

Description The issue allows a malicious user to send a request that can cause the web framework to crash, resulting in a Denial of Service. This is due to the qs.parse function failing to properly prevent an object's prototype from being altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype, allowing attackers to override properties that will exist in all objects. This may lead to Remote Code Execution in specific circumstances.

Recommendations Upgrade to version 6.0.4 or later. Upgrade to version 6.1.2 or later. Upgrade to version 6.2.3 or later. Upgrade to version 6.3.2 or later.