Security concern: qs vulnerable to Prototype Pollution #436
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Duplicates
Latest version
Current behavior 😯
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
Expected behavior 🤔
can you upgrade your qs version to a non affected version
Package: qs (npm)
Affected versions: >= 6.10.0, < 6.10.3
Patched version : 6.10.3
Steps to reproduce 🕹
Steps:
Screenshots or Videos 📹
No response
Platform 🌍
all of the above
@giphy/js-fetch-api@npm:5.3.0
GIPHY-JS SDK version
latest version and above, @giphy/js-fetch-api@npm:5.3.0
TypeScript version
No response
Additional context 🔦
No response
The text was updated successfully, but these errors were encountered: