Denial-of-Service Extended Event Loop Blocking

Module: qs

Published: August 6th, 2014

Reported by: Tom Steele



Vulnerable: <1.0.0
Patched: >= 1.x


The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.


Update qs to version 1.0.0 or greater

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo