Bug 2065685 (CVE-2021-44907) - CVE-2021-44907 qs: Insufficient sanitization of property in the gs.parse function
Summary: CVE-2021-44907 qs: Insufficient sanitization of property in the gs.parse func...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-44907
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2075666 2076435
Blocks: 2065687
TreeView+ depends on / blocked
 
Reported: 2022-03-18 13:31 UTC by Pedro Sampaio
Modified: 2023-04-04 12:12 UTC (History)
62 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-27 07:19:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2022-03-18 13:31:28 UTC 
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.

References:

https://jsfiddle.net/65jxksay/
https://jsfiddle.net/pb6an1dy/
https://github.com/ljharb/qs/blob/master/dist/qs.js#L670
https://github.com/ljharb/qs/issues/436
Note You need to log in before you can comment on or make changes to this bug.