[Pkg-javascript-devel] Bug#1137257: node-qs: CVE-2026-8723

Salvatore Bonaccorso carnil at debian.org
Thu May 21 20:56:08 BST 2026 

Source: node-qs
Version: 6.15.0+ds+~6.15.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for node-qs.

CVE-2026-8723[0]:
| ### Summary    `qs.stringify` throws `TypeError` when called with
| `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array
| containing `null` or `undefined`. The throw is synchronous and not
| handled by any of qs's null-related options (`skipNulls`,
| `strictNullHandling`).    ### Details    In the comma +
| `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array
| through the raw encoder before joining:    ```js    obj =
| utils.maybeMap(obj, encoder);    ```    `utils.encode`
| (`lib/utils.js:195`) reads `str.length` with no null guard, so a
| `null` or `undefined` element throws `TypeError`. `skipNulls` and
| `strictNullHandling` are both checked in the per-element loop below
| this line and never get a chance to run.    Same class of bug as the
| filter-array path fixed in 0c180a4. The vulnerable shape of the
| comma + `encodeValuesOnly` branch was introduced in 4c4b23d ("encode
| comma values more consistently", PR #463, 2023-01-19), first
| released in v6.11.1.    #### PoC    ```js    const qs =
| require('qs');    qs.stringify({ a: [null, 'b'] },      {
| arrayFormat: 'comma', encodeValuesOnly: true });    qs.stringify({
| a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly:
| true });    qs.stringify({ a: [null] },           { arrayFormat:
| 'comma', encodeValuesOnly: true });    // TypeError: Cannot read
| properties of null (reading 'length')    //     at encode
| (lib/utils.js:195:13)    //     at Object.maybeMap
| (lib/utils.js:322:37)    //     at stringify
| (lib/stringify.js:145:25)    ```    #### Fix
| `lib/stringify.js:145`, applied in 21f80b3 on `main` and released as
| v6.15.2:    ```diff    - obj = utils.maybeMap(obj, encoder);    +
| obj = utils.maybeMap(obj, function (v) {    +     return v == null ?
| v : encoder(v);    + });    ```    `null` and `undefined` now pass
| through `maybeMap` unchanged and reach the `join(',')` step as-is.
| For `{ a: [null, 'b'] }` this produces `a=,b`, matching the
| non-`encodeValuesOnly` comma path (which already joins before
| encoding and produces `a=%2Cb` for the same input). Single-element
| `[null]` arrays still collapse via the existing `obj.join(',') ||
| null` and remain subject to `skipNulls` / `strictNullHandling` in
| the main loop.    ### Affected versions    `>=6.11.1 <6.15.2` —
| fixed in v6.15.2.    The vulnerable code shape was introduced in
| 4c4b23d and first shipped in v6.11.1. Earlier versions — including
| all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the
| comma + `encodeValuesOnly` path differently (joining before
| encoding) and are not affected. Empirically verified across released
| versions.    ### Impact    Application code that calls
| `qs.stringify` with both `arrayFormat: 'comma'` and
| `encodeValuesOnly: true` (both non-default) on input that may
| contain a `null` or `undefined` array element will throw
| synchronously instead of producing a query string. In a typical
| Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw
| is caught by the framework's error boundary and the affected request
| returns a 500; the worker process does not exit and subsequent
| requests are unaffected. The "kills the worker process" framing
| applies only to call sites outside a request-handler error boundary
| (background jobs, startup paths, stream pipelines) or to deployments
| with framework error handling explicitly disabled.    The vulnerable
| input is a `null` or `undefined` entry inside an array; this is
| reachable from JSON request bodies or from application code
| constructing arrays from user input, but not from standard HTML form
| submissions (which produce strings or omitted fields, not literal
| `null`).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8723
    https://www.cve.org/CVERecord?id=CVE-2026-8723
[1] https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
[2] https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-javascript-devel mailing list