WS-2014-0005 (High) detected in qs-0.6.5.tgz, qs-0.5.6.tgz
mend-bolt-for-github opened this issue · comments
WS-2014-0005 - High Severity Vulnerability
Vulnerable Libraries - qs-0.6.5.tgz, qs-0.5.6.tgz
qs-0.6.5.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.6.5.tgz
Path to dependency file: caite/package.json
Path to vulnerable library: caite/node_modules/qs/package.json
Dependency Hierarchy:
- grunt-contrib-connect-0.5.0.tgz (Root Library)
- connect-2.7.11.tgz
- ❌ qs-0.6.5.tgz (Vulnerable Library)
- connect-2.7.11.tgz
qs-0.5.6.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.5.6.tgz
Path to dependency file: caite/package.json
Path to vulnerable library: caite/node_modules/tiny-lr/node_modules/qs/package.json
Dependency Hierarchy:
- grunt-contrib-watch-0.5.3.tgz (Root Library)
- tiny-lr-0.0.4.tgz
- ❌ qs-0.5.6.tgz (Vulnerable Library)
- tiny-lr-0.0.4.tgz
Found in HEAD commit: cd9951c688404f842b5b42d372e5ac4d387ff367
Found in base branch: master
Vulnerability Details
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-07-31
URL: WS-2014-0005
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
Step up your Open Source Security Game with WhiteSource here