Joannalange

**Name of the Vulnerable Software and Affected Versions** qs versions 6.11.1 through 6.15.1 **Description** The `stringify()` function throws a `TypeError` when called with the options `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined` elements. This occurs because the `encode()` function in `lib/utils.js` attempts to read the `length` property of the element without a null guard, bypassing null-related options such as `skipNulls` and `strictNullHandling`. In typical Node.js HTTP frameworks, this synchronous throw is caught by error boundaries, resulting in a 500 error for the affected request. However, if called outside a request-handler error boundary, such as in background jobs or startup paths, it may cause the worker process to exit. **Recommendations** Update to version 6.15.2. As a temporary workaround, avoid using the `arrayFormat: 'comma'` and `encodeValuesOnly: true` options simultaneously when processing arrays that may contain `null` or `undefined` values.