CVE-2014-10064: Denial-of-Service Extended Event Loop Blocking in qs

October 9, 2018 (updated January 8, 2021)

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

References

github.com/advisories/GHSA-f9cm-p3w6-xvr3
nodesecurity.io/advisories/28
nvd.nist.gov/vuln/detail/CVE-2014-10064
www.npmjs.com/advisories/28

Code Behaviors & Features

Detect and mitigate CVE-2014-10064 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →