- Package:
- src:node-qs
- Source:
- src:node-qs
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-24 08:27:02 UTC
- Severity:
- normal
- Tags:
Hi,
The following vulnerability was published for node-qs.
CVE-2026-8723[0]:
| ### Summary `qs.stringify` throws `TypeError` when called with
| `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array
| containing `null` or `undefined`. The throw is synchronous and not
| handled by any of qs's null-related options (`skipNulls`,
| `strictNullHandling`). ### Details In the comma +
| `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array
| through the raw encoder before joining: ```js obj =
| utils.maybeMap(obj, encoder); ``` `utils.encode`
| (`lib/utils.js:195`) reads `str.length` with no null guard, so a
| `null` or `undefined` element throws `TypeError`. `skipNulls` and
| `strictNullHandling` are both checked in the per-element loop below
| this line and never get a chance to run. Same class of bug as the
| filter-array path fixed in 0c180a4. The vulnerable shape of the
| comma + `encodeValuesOnly` branch was introduced in 4c4b23d ("encode
| comma values more consistently", PR #463, 2023-01-19), first
| released in v6.11.1. #### PoC ```js const qs =
| require('qs'); qs.stringify({ a: [null, 'b'] }, {
| arrayFormat: 'comma', encodeValuesOnly: true }); qs.stringify({
| a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly:
| true }); qs.stringify({ a: [null] }, { arrayFormat:
| 'comma', encodeValuesOnly: true }); // TypeError: Cannot read
| properties of null (reading 'length') // at encode
| (lib/utils.js:195:13) // at Object.maybeMap
| (lib/utils.js:322:37) // at stringify
| (lib/stringify.js:145:25) ``` #### Fix
| `lib/stringify.js:145`, applied in 21f80b3 on `main` and released as
| v6.15.2: ```diff - obj = utils.maybeMap(obj, encoder); +
| obj = utils.maybeMap(obj, function (v) { + return v == null ?
| v : encoder(v); + }); ``` `null` and `undefined` now pass
| through `maybeMap` unchanged and reach the `join(',')` step as-is.
| For `{ a: [null, 'b'] }` this produces `a=,b`, matching the
| non-`encodeValuesOnly` comma path (which already joins before
| encoding and produces `a=%2Cb` for the same input). Single-element
| `[null]` arrays still collapse via the existing `obj.join(',') ||
| null` and remain subject to `skipNulls` / `strictNullHandling` in
| the main loop. ### Affected versions `>=6.11.1 <6.15.2` —
| fixed in v6.15.2. The vulnerable code shape was introduced in
| 4c4b23d and first shipped in v6.11.1. Earlier versions — including
| all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the
| comma + `encodeValuesOnly` path differently (joining before
| encoding) and are not affected. Empirically verified across released
| versions. ### Impact Application code that calls
| `qs.stringify` with both `arrayFormat: 'comma'` and
| `encodeValuesOnly: true` (both non-default) on input that may
| contain a `null` or `undefined` array element will throw
| synchronously instead of producing a query string. In a typical
| Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw
| is caught by the framework's error boundary and the affected request
| returns a 500; the worker process does not exit and subsequent
| requests are unaffected. The "kills the worker process" framing
| applies only to call sites outside a request-handler error boundary
| (background jobs, startup paths, stream pipelines) or to deployments
| with framework error handling explicitly disabled. The vulnerable
| input is a `null` or `undefined` entry inside an array; this is
| reachable from JSON request bodies or from application code
| constructing arrays from user input, but not from standard HTML form
| submissions (which produce strings or omitted fields, not literal
| `null`).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8723
https://www.cve.org/CVERecord?id=CVE-2026-8723
[1] https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
[2] https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Hello, Bug #1137257 in node-qs reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-qs/-/commit/070190e4c8800d7f254ccda92c0aa4848dfe2103 (this message was generated automatically) -- Greetings https://bugs.debian.org/1137257
Hello, Bug #1137257 in node-qs reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-qs/-/commit/070190e4c8800d7f254ccda92c0aa4848dfe2103 (this message was generated automatically) -- Greetings https://bugs.debian.org/1137257
We believe that the bug you reported is fixed in the latest version of node-qs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1137257@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <yadd@debian.org> (supplier of updated node-qs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Wed, 24 Jun 2026 10:07:32 +0200 Source: node-qs Architecture: source Version: 6.15.2+ds+~6.15.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Xavier Guimard <yadd@debian.org> Closes: 1137257 Changes: node-qs (6.15.2+ds+~6.15.1-1) unstable; urgency=medium . * Team upload * New upstream version (Closes: #1137257, CVE-2026-8723) * Unfuzz patches Checksums-Sha1: 3c8cc4e9256f4a9ac959528db11e6fe72bcb0224 3018 node-qs_6.15.2+ds+~6.15.1-1.dsc efc80571f1b119011726e2ee3b939a396f082b01 2544 node-qs_6.15.2+ds+~6.15.1.orig-types-qs.tar.xz 06f30e93a73f8caa6309c7506920b99ee9597375 11091936 node-qs_6.15.2+ds+~6.15.1.orig.tar.xz 29408b5723f60ac5711652ab21c9b10253cb1842 8956 node-qs_6.15.2+ds+~6.15.1-1.debian.tar.xz Checksums-Sha256: ae6ec677e42d5c484b3aec8a362d8e40766ad4b7caddbfb3c96da72f17429d4d 3018 node-qs_6.15.2+ds+~6.15.1-1.dsc d9f097b86129fd65adb3cba3f3096691da0cb17c4e32931b15d18f4036213753 2544 node-qs_6.15.2+ds+~6.15.1.orig-types-qs.tar.xz 21e2ce106e90e64b03184339923ce6ce404fb536fffd4a951d2d3a4299d51d5b 11091936 node-qs_6.15.2+ds+~6.15.1.orig.tar.xz 44ded9759d2f094dd44438a97ffb9c0da3bd9d4bbae824679264b55226e29684 8956 node-qs_6.15.2+ds+~6.15.1-1.debian.tar.xz Files: 58ace3caebb8333be10ee6febcc26777 3018 javascript optional node-qs_6.15.2+ds+~6.15.1-1.dsc ac0a6f01c0c9f6aa71b189e05a0ee1ee 2544 javascript optional node-qs_6.15.2+ds+~6.15.1.orig-types-qs.tar.xz a92c5d4fdf0bc8f0eb9585c4eaa6803e 11091936 javascript optional node-qs_6.15.2+ds+~6.15.1.orig.tar.xz 31adcc8cf0c77ca77d1d6f1de73dcd79 8956 javascript optional node-qs_6.15.2+ds+~6.15.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7kJcACgkQ9tdMp8mZ 7unrXA/+N94sYUoS4CFwtd2FFomo9E9wTYU4CXpWO8Sz0R4jMNxtlO620LhdE8AQ +apONGxAqxqigyqo/r49VdTR1P/0ya1fDkud02jwD0ToCFjgQia3dmnIaK3U+5JV A9eNzgIZbmBPxaEyFDwHcBUqG/QJIF/MFgQBjqbAw8ldEiqb2HQ98OhQYaopU5W4 GhsNfb4B7EhZroavV9JMWCAzGMB4UHp5PApuwLyTj+2oX5FHetqJTCZbVEFiGUbM aF0FnpBBxM9vF2Ii16Jjkm2nvCU+wHSXakody9X6BpWHjlnU0ht9fjXBUbJeMUmZ 5oHMILzr9vYYp21ZBasjUUwoqyVc5YOzqvluNjjWkwEqeW5x+5AGVWGjMn+E9ARV K7JCsTfiv1roDl0EFtyJ3FMPeCRyzTJ79/WLGKChe++zl1zxA08YRfCFthEJyCw7 d4otu7gcd073a2qian1tsiQLgQPmtZP7FHfq7Jz2N6yiz7Z6VQZjkEFmP5+Lzdv3 aLtTyuOaeY3zMm4HcU5EUpIg0rDjOxWpNcSFqYxQl+i+PbrHJKAcB2iGbcu90zBX PYz5f5yibJ4IiHBkAsAqJHUYk3X0YLMZurTPhauwPhV8jgrrGiGqWQx/mal+baLa bdz22vxNB9MMS4CSE4qzN7033GR0Y8Cp0awsWJeferp8rDmlItQ= =Ksrv -----END PGP SIGNATURE-----