Qs

This hub aggregates every CVE we track for Qs, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 7 most recently published vulnerabilities affecting Qs.

• CVE-2026-8723qs.stringify crashes on null/undefined entries in comma-format arrays under encodeValuesOnly5.3May 16, 2026
• CVE-2026-2391qs's arrayLimit bypass in comma parsing allows denial of service3.7Feb 12, 2026
• CVE-2025-15284arrayLimit bypass in bracket notation allows DoS via memory exhaustion3.7Dec 29, 2025
• CVE-2022-24999qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typica...7.5Nov 26, 2022
• CVE-2014-10064The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of...7.5May 31, 2018
• CVE-2017-1000048the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.7.5Jul 13, 2017
• CVE-2014-7191The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value...5.0Oct 19, 2014