CVE-2014-10064: High severity qs project vulnerability
Node.js qs module is vulnerable to a denial of service, caused by a large loop when parsing JSON object. By sending a specially-crafted JSON string, a remote attacker could exploit this vulnerability to cause the application to stop responding.
Other sources
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Affected Software
Event History
Frequently Asked Questions
What is CVE-2014-10064?
CVE-2014-10064 is a vulnerability in the Node.js qs module that can lead to a denial of service attack.
How does the vulnerability occur?
The vulnerability occurs due to a large loop when parsing a specially-crafted JSON object.
What is the impact of CVE-2014-10064?
The impact of CVE-2014-10064 is that it can cause the affected application to stop responding.
Who is affected by this vulnerability?
Users of IBM Security Verify Governance version up to 10.0 are affected by this vulnerability.
How can I fix CVE-2014-10064?
To fix CVE-2014-10064, update Node.js qs module to a version that includes a patch for the vulnerability.