High severity7.5NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026
CVE-2017-1000048
CVE-2017-1000048
Description
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
qsnpm | < 6.0.4 | 6.0.4 |
qsnpm | >= 6.1.0, < 6.1.2 | 6.1.2 |
qsnpm | >= 6.2.0, < 6.2.3 | 6.2.3 |
qsnpm | >= 6.3.0, < 6.3.2 | 6.3.2 |
Affected products
30cpe:2.3:a:qs_project:qs:2.3.3:*:*:*:*:*:*:*+ 29 more
- cpe:2.3:a:qs_project:qs:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:qs_project:qs:6.2.2:*:*:*:*:*:*:*
Patches
1beade029171b[Fix] ensure that `allowPrototypes: false` does not ever shadow Object.prototype properties.
2 files changed · +33 −8
lib/parse.js+4 −4 modified@@ -55,7 +55,7 @@ var parseObject = function parseObjectRecursive(chain, val, options) { obj = obj.concat(parseObject(chain, val, options)); } else { obj = options.plainObjects ? Object.create(null) : {}; - var cleanRoot = root[0] === '[' && root[root.length - 1] === ']' ? root.slice(1, root.length - 1) : root; + var cleanRoot = root.charAt(0) === '[' && root.charAt(root.length - 1) === ']' ? root.slice(1, -1) : root; var index = parseInt(cleanRoot, 10); if ( !isNaN(index) && @@ -84,7 +84,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) { // The regex chunks - var parent = /^([^[\]]*)/; + var parent = /^([^[]*)/; var child = /(\[[^[\]]*])/g; // Get the parent @@ -111,9 +111,9 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) { var i = 0; while ((segment = child.exec(key)) !== null && i < options.depth) { i += 1; - if (!options.plainObjects && has.call(Object.prototype, segment[1].replace(/\[|]/g, ''))) { + if (!options.plainObjects && has.call(Object.prototype, segment[1].slice(1, -1))) { if (!options.allowPrototypes) { - continue; + return; } } keys.push(segment[1]);
test/parse.js+29 −4 modified@@ -131,9 +131,9 @@ test('parse()', function (t) { st.deepEqual(qs.parse('foo[bad]=baz&foo[]=bar&foo[]=foo'), { foo: { bad: 'baz', 0: 'bar', 1: 'foo' } }); st.deepEqual(qs.parse('foo[0][a]=a&foo[0][b]=b&foo[1][a]=aa&foo[1][b]=bb'), { foo: [{ a: 'a', b: 'b' }, { a: 'aa', b: 'bb' }] }); - st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: false }), { a: { 0: 'b', c: true, t: 'u' } }); + st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: false }), { a: { 0: 'b', t: 'u' } }); st.deepEqual(qs.parse('a[]=b&a[t]=u&a[hasOwnProperty]=c', { allowPrototypes: true }), { a: { 0: 'b', t: 'u', hasOwnProperty: 'c' } }); - st.deepEqual(qs.parse('a[]=b&a[hasOwnProperty]=c&a[x]=y', { allowPrototypes: false }), { a: { 0: 'b', 1: 'c', x: 'y' } }); + st.deepEqual(qs.parse('a[]=b&a[hasOwnProperty]=c&a[x]=y', { allowPrototypes: false }), { a: { 0: 'b', x: 'y' } }); st.deepEqual(qs.parse('a[]=b&a[hasOwnProperty]=c&a[x]=y', { allowPrototypes: true }), { a: { 0: 'b', hasOwnProperty: 'c', x: 'y' } }); st.end(); }); @@ -413,9 +413,34 @@ test('parse()', function (t) { st.end(); }); + t.test('does not allow overwriting prototype properties', function (st) { + st.deepEqual(qs.parse('a[hasOwnProperty]=b', { allowPrototypes: false }), {}); + st.deepEqual(qs.parse('hasOwnProperty=b', { allowPrototypes: false }), {}); + + st.deepEqual( + qs.parse('toString', { allowPrototypes: false }), + {}, + 'bare "toString" results in {}' + ); + + st.end(); + }); + t.test('can allow overwriting prototype properties', function (st) { - st.deepEqual(qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true }), { a: { hasOwnProperty: 'b' } }, { prototype: false }); - st.deepEqual(qs.parse('hasOwnProperty=b', { allowPrototypes: true }), { hasOwnProperty: 'b' }, { prototype: false }); + st.deepEqual(qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true }), { a: { hasOwnProperty: 'b' } }); + st.deepEqual(qs.parse('hasOwnProperty=b', { allowPrototypes: true }), { hasOwnProperty: 'b' }); + + st.deepEqual( + qs.parse('toString', { allowPrototypes: true }), + { toString: '' }, + 'bare "toString" results in { toString: "" }' + ); + + st.end(); + }); + + t.test('params starting with a closing bracket', function (st) { + st.deepEqual(qs.parse(']=toString'), { ']': 'toString' }); st.end(); });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-gqgv-6jq5-jjj9ghsaADVISORY
- github.com/ljharb/qs/issues/200nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-1000048ghsaADVISORY
- access.redhat.com/errata/RHSA-2017:2672nvdWEB
- github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976dghsaWEB
- snyk.io/vuln/npm:qs:20170213ghsaWEB
- www.npmjs.com/advisories/1469ghsaWEB
News mentions
0No linked articles in our index yet.