CVE-2014-10064
Denial of Service vulnerability in qs (npm)

Denial of Service No known exploit

What is CVE-2014-10064 About?

This is a Denial of Service vulnerability in the `qs` package, affecting versions prior to 1.0.0, caused by excessive recursion when parsing deeply nested JSON strings. Successful exploitation can exhaust system resources, leading to service unavailability, and is remotely exploitable with a crafted JSON payload.

Affected Software

qs <1.0.0

Technical Details

The vulnerability exists in qs versions prior to 1.0.0, specifically when the library is used to parse deeply nested JSON strings. The parsing mechanism for query strings or object serialization within qs can enter excessive recursion if it encounters a JSON payload with a very high level of nesting. This deep recursion consumes significant amounts of memory on the call stack and CPU resources as the function repeatedly calls itself. Eventually, this leads to a stack overflow or resource exhaustion, causing the application to crash or become unresponsive, resulting in a denial of service for legitimate users.

What is the Impact of CVE-2014-10064?

Successful exploitation may allow attackers to cause a denial of service by exhausting server resources, making the application unresponsive or completely unavailable.

What is the Exploitability of CVE-2014-10064?

Exploitation is typically remote, requiring an attacker to send a specially crafted HTTP request or input containing a deeply nested JSON string to an application that uses the vulnerable qs library for parsing. The complexity is relatively low, as it primarily involves creating a JSON string with many levels of nesting. No authentication or specific privileges are required if the application processes untrusted user input with qs. The attack is effective against systems that directly or indirectly use qs to parse large or complex query strings or JSON payloads. Risk factors include applications that accept and process arbitrary JSON or query string input without proper depth limitations.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2014-10064?

Available Upgrade Options

  • qs
    • <1.0.0 → Upgrade to 1.0.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2014-10064?

Similar Vulnerabilities: CVE-2018-16487 , CVE-2015-9251 , CVE-2018-16488 , CVE-2018-3721 , CVE-2020-28169

All Rights reserved 2025
Privacy Policy