RobinTail / express-zod-api / 26387585102
100%

DEFAULT BRANCH: master
Ran
Jobs 6
Files 49
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 100.0%. Remained the same
26387585102

push

github

web-flow 
chore(deps): update dependency qs to v6.15.2 [security] (#3412)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [qs](https://redirect.github.com/ljharb/qs) | [`6.15.1` →
`6.15.2`](https://renovatebot.com/diffs/npm/qs/6.15.1/6.15.2) |
![age](https://developer.mend.io/api/mc/badges/age/npm/qs/6.15.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/qs/6.15.1/6.15.2?slim=true)
|

---

### qs has a remotely triggerable DoS: qs.stringify crashes with
TypeError on null/undefined entries in comma-format arrays when
encodeValuesOnly is set
[CVE-2026-8723](https://nvd.nist.gov/vuln/detail/CVE-2026-8723) /
[GHSA-q8mj-m7cp-5q26](https://redirect.github.com/advisories/GHSA-q8mj-m7cp-5q26)

<details>
<summary>More information</summary>

#### Details
##### Summary

`qs.stringify` throws `TypeError` when called with `arrayFormat:
'comma'` and `encodeValuesOnly: true` on an array containing `null` or
`undefined`. The throw is synchronous and not handled by any of qs's
null-related options (`skipNulls`, `strictNullHandling`).

##### Details

In the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped
the array through the raw encoder before joining:

```js
obj = utils.maybeMap(obj, encoder);
```

`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null
guard, so a `null` or `undefined` element throws `TypeError`.
`skipNulls` and `strictNullHandling` are both checked in the per-element
loop below this line and never get a chance to run.

Same class of bug as the filter-array path fixed in 0c180a4. The
vulnerable shape of the comma + `encodeValuesOnly` branch was introduced
in 4c4b23d ("encode comma values more consistently", PR #&#8203;463,
2023-01-19), first released in v6.11.1.

##### PoC

```js
const qs = require('qs');

qs.stringify({ a: [null, 'b'] },      { ... (continued)

973 of 1014 branches covered (95.96%)

1415 of 1415 relevant lines covered (100.0%)

438.12 hits per line

Jobs
ID Job ID Ran Files Coverage
1 run-26.x - 26387585102.1 49
100.0
 GitHub Action Run
2 run-24.0.0 - 26387585102.2 49
100.0
 GitHub Action Run
3 run-22.x - 26387585102.3 49
100.0
 GitHub Action Run
4 run-26.0.0 - 26387585102.4 49
100.0
 GitHub Action Run
5 run-22.19.0 - 26387585102.5 49
100.0
 GitHub Action Run
6 run-24.x - 26387585102.6 49
100.0
 GitHub Action Run
Source Files on build 26387585102