CVE-2014-7191

Published: 19 October 2014

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

From the Ubuntu security team

It was discovered that the qs module in Node.js incorrectly handled inputs. A remote attacker could possibly use this issue to cause a denial of service.

Priority

Medium

Status

Package Release Status
node-qs
Launchpad, Ubuntu, Debian
Upstream
Released (1.0.0)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(2.2.4-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.2.4-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.2.4-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.2.4-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.2.4-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2.2.4-1)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/tj/node-querystring/pull/114/commits/43a604b7847e56bba49d0ce3e222fe89569354d8

Notes

AuthorNote
ebarretto
This issue is actually for node-querystring.
Somewhere along the line node-qs was born or forked from
node-querystring which was deprecated. But now there are again
new projects called querystring. Be careful when updating.
Trusty's version is actually based on node-querystring.

References