DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-8723: CVE-2026-8723: Synchronous Denial of Service in qs npm Package via TypeError

#security #cve #cybersecurity

CVE-2026-8723: Synchronous Denial of Service in qs npm Package via TypeError

Vulnerability ID: CVE-2026-8723
CVSS Score: 5.3
Published: 2026-05-22

The qs query string parsing and serialization library for Node.js is vulnerable to a synchronous Denial of Service (DoS) attack. The vulnerability manifests as a process-terminating TypeError when processing arrays with null or undefined elements under specific configuration parameters.

TL;DR

A configuration-dependent vulnerability in qs.stringify allows attackers to crash the hosting Node.js process by supplying arrays with null or undefined elements when comma formatting and encodeValuesOnly are enabled.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-476
  • Attack Vector: Network
  • CVSS v3.1: 5.3
  • EPSS Score: 0.00044
  • Impact: Denial of Service (Process Termination)
  • Exploit Status: poc
  • KEV Status: Not Listed

Affected Systems

  • Node.js applications
  • Projects utilizing the qs npm package versions 6.11.1 through 6.15.1
  • qs: >= 6.11.1 < 6.15.2 (Fixed in: 6.15.2)

Code Analysis

Commit: 21f80b3

Fix: add null check in encoder mapping for comma-separated arrays

--- a/lib/stringify.js
+++ b/lib/stringify.js
@@ -142,7 +142,9 @@ var stringify = function stringify(
     if (generateArrayPrefix === 'comma' && isArray(obj)) {
         // we need to join elements in
         if (encodeValuesOnly && encoder) {
-            obj = utils.maybeMap(obj, encoder);
+            obj = utils.maybeMap(obj, function (v) {
+                return v == null ? v : encoder(v);
+            });
         }
         objKeys = [{ value: obj.length > 0 ? obj.join(',') || null : void undefined }];
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Vendor Advisory: Public proof of concept exploiting the qs.stringify TypeError crash

Mitigation Strategies

  • Upgrade the qs package to a patched version
  • Modify application configuration to avoid vulnerable stringify options
  • Implement defensive error handling around serialization logic
  • Sanitize application state before passing data to serializers

Remediation Steps:

  1. Identify all projects in your environment utilizing the qs npm package.
  2. Audit the codebase for usage of qs.stringify with options { arrayFormat: 'comma', encodeValuesOnly: true }.
  3. Update package.json dependencies to ensure qs is version 6.15.2 or higher.
  4. Execute npm install or yarn install to apply the updated dependency.
  5. Deploy the updated application to target environments.
  6. If upgrade is impossible, wrap vulnerable qs.stringify calls in a try-catch block.

References

Read the full report for CVE-2026-8723 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)