npm vulnerability intelligence

qs NPM Package
Vulnerability Check

A querystring parser that supports nesting and arrays, with a depth limit

High severity BSD-3-Clause v6.15.2
Vulnerability Analysis OSV Live

qs

v6.15.2 · BSD-3-Clause · 162,353,109 dl/wk

Advisory Breakdown

Critical 0
High 4
Moderate 2
Low 1

Severity Rating

High severity

7 advisories

High severity

Weekly downloads

162,353,109

Total advisories

7

Latest version

6.15.2

License

BSD-3-Clause

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

7
GHSA-6rw7-vpxm-498p CVE-2025-15284 moderate

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

Affected: >=0 <6.14.1 Fixed in: 6.14.1 Updated Mar 4, 2026
View source
GHSA-f9cm-p3w6-xvr3 CVE-2014-10064 high

Denial-of-Service Extended Event Loop Blocking in qs

Affected: >=0 <1.0.0 Fixed in: 1.0.0 Updated Nov 8, 2023
View source
GHSA-gqgv-6jq5-jjj9 CVE-2017-1000048 high

Prototype Pollution Protection Bypass in qs

Affected: >=0 <6.0.4, >=6.1.0 <6.1.2, >=6.2.0 <6.2.3, >=6.3.0 <6.3.2 Fixed in: 6.0.4, 6.1.2, 6.2.3, 6.3.2 Updated Nov 8, 2023
View source
GHSA-hrpp-h998-j3pp CVE-2022-24999 high

qs vulnerable to Prototype Pollution

Affected: >=6.10.0 <6.10.3, >=6.9.0 <6.9.7, >=6.8.0 <6.8.3, >=6.7.0 <6.7.3, >=6.6.0 <6.6.1, >=6.5.0 <6.5.3, >=6.4.0 <6.4.1, >=6.3.0 <6.3.3, >=0 <6.2.4 Fixed in: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4 Updated Apr 29, 2025
View source
GHSA-jjv7-qpx3-h62q CVE-2014-7191 high

Denial-of-Service Memory Exhaustion in qs

Affected: >=0 <1.0.0 Fixed in: 1.0.0 Updated Nov 8, 2023
View source
GHSA-q8mj-m7cp-5q26 CVE-2026-8723 moderate

qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set

Affected: >=6.11.1 <6.15.2 Fixed in: 6.15.2 Updated May 26, 2026
View source
GHSA-w7fw-mjwx-w883 CVE-2026-2391 low

qs's arrayLimit bypass in comma parsing allows denial of service

Affected: >=6.7.0 <6.14.2 Fixed in: 6.14.2 Updated Mar 16, 2026
View source

Checked Jun 7, 2026, 5:40 PM from npm and OSV.dev

Package metadata

From the npm registry

Package name
qs
Ecosystem
npm
Latest version
6.15.2
License
BSD-3-Clause
Weekly downloads
162,353,109
Repository
Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows
Login attempts
API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/7/2026, 5:40:59 PM