CVE-2014-10064
Description
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The qs module before 1.0.0 lacks a depth limit for parsing nested objects, allowing an attacker to cause a Denial-of-Service by blocking the event loop.
Vulnerability
The qs module (a query string parser for Node.js) before version 1.0.0 did not impose a limit on the depth of nested objects when parsing a query string. This lack of a configurable or default maximum depth allowed an attacker to craft a specially formatted query string representing an extremely deeply nested object. The parsing of such input would consume significant processing time, blocking the Node.js event loop. All versions prior to 1.0.0 are affected [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a single HTTP request containing a query string with deeply nested parameters (e.g., a[b][c][d]...[z] with many levels). No authentication or special privileges are required. The attacker only needs the ability to make a request to a web application that uses the vulnerable qs module to parse query strings. The malicious request is processed normally by the server; the event-loop blocking occurs during the parsing step [1].
Impact
Successful exploitation causes a temporary Denial-of-Service (DoS). While the vulnerable qs module is processing the deeply nested object, the Node.js event loop is blocked, preventing the server from handling any other requests. This leads to service unavailability for legitimate users for the duration of the blocking period [1].
Mitigation
Upgrade the qs module to version 1.0.0 or later. Version 1.0.0 introduced a default depth limit and an option to configure the maximum depth, which prevents event-loop blocking from deeply nested objects [1][2]. No workaround is available for earlier versions other than upgrading. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
qsnpm | < 1.0.0 | 1.0.0 |
Affected products
2- HackerOne/qs node modulev5Range: <1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f9cm-p3w6-xvr3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-10064ghsaADVISORY
- nodesecurity.io/advisories/28mitrex_refsource_MISC
- www.npmjs.com/advisories/28ghsaWEB
News mentions
0No linked articles in our index yet.