Nathanael Braun

**Name of the Vulnerable Software and Affected Versions** qs versions prior to 6.10.3 Express versions prior to 4.17.3 **Description** The issue allows attackers to cause a Node process hang for an Express application because an ` proto ` key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as `a[ proto ]=b&a[ proto ]&a[length]=100000000`. **Recommendations** For qs versions prior to 6.10.3, update to qs 6.10.3 or later. For Express versions prior to 4.17.3, update to Express 4.17.3 or later, which includes the fixed qs version. As a temporary workaround, consider restricting access to the query string parameter `a[ proto ]` and `a[length]` to minimize the risk of exploitation.