CVE-2014-7191 : The qs module before 1.0.0 in Node.js does not call the compact function for arr

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

Published 2014-10-19 01:55:22

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2014-7191

Nodejs » Node.js
Versions up to, including, (<=) 0.10.18
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-7191

EPSS FAQ

1.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-7191

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2014-7191

CWE-399

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-7191

https://exchange.xforce.ibmcloud.com/vulnerabilities/96729

Node.js qs module denial of service CVE-2014-7191 Vulnerability Report
http://secunia.com/advisories/60026

Sign in
https://access.redhat.com/errata/RHSA-2016:1380

RHSA-2016:1380 - Security Advisory - Red Hat Customer Portal
http://www-01.ibm.com/support/docview.wss?uid=swg21687263

IBM Security Bulletin: Security vulnerabilities in Node.js modules affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-6394, CVE-2014-7191)

CVEs referencing this url
http://www-01.ibm.com/support/docview.wss?uid=swg21687928

IBM notice: The page you requested cannot be displayed
https://github.com/visionmedia/node-querystring/issues/104

Nested arrays can be used to crash node. · Issue #104 · tj/node-querystring · GitHub
https://nodesecurity.io/advisories/qs_dos_memory_exhaustion

npm
https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8

Page not found · GitHub · GitHub
Patch
http://secunia.com/advisories/62170

Sign in

CVEs referencing this url
http://www-01.ibm.com/support/docview.wss?uid=swg21685987

IBM Security Bulletin: Current Release of IBM® SDK for Node.js™ is affected by CVE-2014-7191

Jump to

Vulnerability Details : CVE-2014-7191

Products affected by CVE-2014-7191

Exploit prediction scoring system (EPSS) score for CVE-2014-7191

CVSS scores for CVE-2014-7191

CWE ids for CVE-2014-7191

References for CVE-2014-7191