Skip to content

Security: Bump qs dependency from ~6.14.1 to ^6.15.2 (CVE-2026-8723) #106

Description

@samjoffe

Summary

The qs dependency is currently ~6.14.1 in package.json, which resolves to 6.14.x at most. This range does not include the fix for CVE-2026-8723 / GHSA-q8mj-m7cp-5q26, which requires qs >= 6.15.2.

Details

  • Affected versions: qs >= 6.11.1, <= 6.15.1
  • Patched version: qs 6.15.2
  • Severity: Moderate (CVSS 5.3)
  • CVE: CVE-2026-8723

qs.stringify throws a TypeError when called with arrayFormat: "comma" and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and unhandled, enabling a remotely triggerable DoS.

Why a version bump is needed

Unlike the previous issue #103 (CVE-2026-2391, fixed in 6.14.2 which was within the ~6.14.1 range), this new CVE requires bumping the minor version from 6.14.x to 6.15.x. A lockfile update alone is not sufficient since the tilde range ~6.14.1 caps resolution at 6.14.x.

Fix

Bump qs from ~6.14.1 to ^6.15.2 in package.json.

References

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions