- Description: An attacker crafts a malicious query string that includes special keys (e.g.,
__proto__,constructor,prototype) designed to inject properties into theObject.prototype. The attacker sends this crafted query string to the server as part of a request. This is a direct vulnerability of howqsparses input if not configured securely.- Impact:
- Denial of Service (DoS): Altering core object behavior can cause the application to crash or become unresponsive.
- Remote Code Execution (RCE): In some cases, depending on how the application uses the polluted object, the attacker might be able to inject code that gets executed by the server. This is the most severe impact.
- Unexpected Application Behavior: Altering object properties can lead to unpredictable behavior, data corruption, or bypass of security checks.
- Affected Component:
qs.parse()function, specifically when parsing untrusted query strings without proper safeguards. - Risk Severity: Critical (if RCE is possible) or High (if DoS or significant application disruption is likely).
- Mitigation Strategies:
- Use Latest Version: Always use the most up-to-date version of
qs. plainObjects: true: Use theqs.parse(queryString, { plainObjects: true })option.allowPrototypes: false: Useqs.parse(queryString, { allowPrototypes: false })(default in newer versions).- Input Validation: Implement strict whitelisting of allowed query parameters after parsing.
- Object Freezing (Extreme): Consider freezing
Object.prototypebefore parsing (use with caution). - Safe Object Handling Libraries: Use libraries designed to be resistant to prototype pollution.
- Use Latest Version: Always use the most up-to-date version of
- Impact:
- Description: An attacker sends a query string with deeply nested objects (e.g.,
a[b][c][d][e][...]= value). Theqsparser, by its design, attempts to process this nesting, consuming excessive CPU and memory. This is a direct consequence ofqs's features.- Impact: The server becomes unresponsive, unable to handle legitimate requests, leading to a denial of service.
- Affected Component:
qs.parse()function, specifically the handling of nested objects. - Risk Severity: High
- Mitigation Strategies:
depthOption: Limit the maximum nesting depth usingqs.parse(queryString, { depth: 5 })(adjust as needed).- Request Size Limits: Implement overall request size limits (this is a general mitigation, but still relevant).
- Resource Monitoring: Monitor server resource usage.
- Description: An attacker sends a query string containing an array with a very large number of elements (e.g.,
a[]=1&a[]=2&a[]=3...repeated thousands of times). Theqsparser, by its design, attempts to allocate and populate this large array, consuming excessive resources.- Impact: Server resources are exhausted, leading to a denial of service.
- Affected Component:
qs.parse()function, specifically the handling of arrays. - Risk Severity: High
- Mitigation Strategies:
arrayLimitOption: Limit the maximum number of array elements usingqs.parse(queryString, { arrayLimit: 100 })(adjust as needed).- Request Size Limits: Implement overall request size limits.
- Resource Monitoring: Monitor server resource usage.
- Description: An attacker sends a query string with a very large number of distinct parameters.
qs, by design, attempts to parse each of these parameters.- Impact: Server resources are consumed in parsing, potentially leading to denial of service.
- Affected Component:
qs.parse()function. - Risk Severity: High (While often categorized as Medium, the direct impact on
qs's parsing process and the potential for complete resource exhaustion, especially with very large numbers of parameters, warrants a High rating in this context). - Mitigation Strategies:
parameterLimitOption: Limit the total number of parameters usingqs.parse(queryString, { parameterLimit: 1000 })(adjust as needed).- Request Size Limits: Implement overall request size limits.
- Resource Monitoring: Monitor server resource usage.