LOW 3.7 npm
GHSA-6rw7-vpxm-498p · CVE-2025-15284 qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
Modified: 3/4/2026
package
npm / qs
pkg:npm/qs
HIGH npm
GHSA-f9cm-p3w6-xvr3 · CVE-2014-10064 Denial-of-Service Extended Event Loop Blocking in qs
Modified: 11/8/2023
HIGH 7.5 npm
GHSA-gqgv-6jq5-jjj9 · CVE-2017-1000048 Prototype Pollution Protection Bypass in qs
Modified: 11/8/2023
HIGH 7.5 npm
GHSA-hrpp-h998-j3pp · CVE-2022-24999 qs vulnerable to Prototype Pollution
Modified: 4/29/2025
HIGH npm
GHSA-jjv7-qpx3-h62q · CVE-2014-7191 Denial-of-Service Memory Exhaustion in qs
Modified: 11/8/2023
MEDIUM 5.3 npm
GHSA-q8mj-m7cp-5q26 · CVE-2026-8723 qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
Modified: 5/26/2026
LOW 3.7 npm
GHSA-w7fw-mjwx-w883 · CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service
Modified: 3/16/2026