CVE-2026-8723: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set

May 22, 2026

qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs’s null-related options (skipNulls, strictNullHandling).

References

github.com/advisories/GHSA-q8mj-m7cp-5q26
github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41
github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
nvd.nist.gov/vuln/detail/CVE-2026-8723

Code Behaviors & Features

Detect and mitigate CVE-2026-8723 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →