Summary
The qs dependency is currently ~6.14.1 in package.json, which resolves to 6.14.x at most. This range does not include the fix for CVE-2026-8723 / GHSA-q8mj-m7cp-5q26, which requires qs >= 6.15.2.
Details
- Affected versions: qs >= 6.11.1, <= 6.15.1
- Patched version: qs 6.15.2
- Severity: Moderate (CVSS 5.3)
- CVE: CVE-2026-8723
qs.stringify throws a TypeError when called with arrayFormat: "comma" and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and unhandled, enabling a remotely triggerable DoS.
Why a version bump is needed
Unlike the previous issue #103 (CVE-2026-2391, fixed in 6.14.2 which was within the ~6.14.1 range), this new CVE requires bumping the minor version from 6.14.x to 6.15.x. A lockfile update alone is not sufficient since the tilde range ~6.14.1 caps resolution at 6.14.x.
Fix
Bump qs from ~6.14.1 to ^6.15.2 in package.json.
References
Summary
The
qsdependency is currently~6.14.1inpackage.json, which resolves to 6.14.x at most. This range does not include the fix for CVE-2026-8723 / GHSA-q8mj-m7cp-5q26, which requires qs >= 6.15.2.Details
qs.stringifythrows aTypeErrorwhen called witharrayFormat: "comma"andencodeValuesOnly: trueon an array containingnullorundefined. The throw is synchronous and unhandled, enabling a remotely triggerable DoS.Why a version bump is needed
Unlike the previous issue #103 (CVE-2026-2391, fixed in 6.14.2 which was within the
~6.14.1range), this new CVE requires bumping the minor version from 6.14.x to 6.15.x. A lockfile update alone is not sufficient since the tilde range~6.14.1caps resolution at 6.14.x.Fix
Bump
qsfrom~6.14.1to^6.15.2inpackage.json.References