CVE-2014-7191
Denial of Service vulnerability in qs (npm)
What is CVE-2014-7191 About?
Versions of the `qs` package prior to 1.0 are vulnerable to a denial of service condition. This is triggered by parsing a crafted string that deserializes into very large sparse arrays, leading to memory exhaustion and application crashes. Exploiting this vulnerability would likely involve sending a specially crafted request, making it a remote and relatively easy attack.
Affected Software
Technical Details
The qs package, in versions prior to 1.0, is susceptible to a denial of service vulnerability. This flaw arises when the package attempts to parse a specially crafted query string or a similar string that, upon deserialization, results in the creation of an extremely large sparse array. An attacker can construct an input string that defines array indices far beyond the actual data elements (e.g., param[999999999]=value). When qs deserializes this, it attempts to allocate memory for an array with a vast number of empty slots (sparse array). This excessive memory allocation quickly exhausts available system resources, leading to an OutOfMemoryError or similar condition, which in turn causes the Node.js process to crash and results in a denial of service for the application.
What is the Impact of CVE-2014-7191?
Successful exploitation may allow attackers to exhaust system memory resources, leading to an application crash and a complete denial of service.
What is the Exploitability of CVE-2014-7191?
Exploitation of this vulnerability involves an attacker sending a specially crafted string as input to an application that uses a vulnerable version of the qs package for parsing query strings or similar data. The complexity is relatively low, as it primarily involves understanding how to construct a string that triggers the sparse array creation. No authentication or specific privileges are required if the application exposes an endpoint that processes user-controlled string input via qs. The attack is remote, as the malicious string can be transmitted over a network. The primary risk factor is any web application that processes user-supplied query string parameters or form data using an outdated qs library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-7191?
Available Upgrade Options
- qs
- <1.0.0 → Upgrade to 1.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www-01.ibm.com/support/docview.wss?uid=swg21687928
- https://nodesecurity.io/advisories/qs_dos_memory_exhaustion
- https://github.com/visionmedia/node-querystring/issues/104
- http://secunia.com/advisories/60026
- https://exchange.xforce.ibmcloud.com/vulnerabilities/96729
- https://access.redhat.com/errata/RHSA-2016:1380
- http://www-01.ibm.com/support/docview.wss?uid=swg21687263
- https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8
- http://www-01.ibm.com/support/docview.wss?uid=swg21685987
- https://github.com/advisories/GHSA-jjv7-qpx3-h62q
What are Similar Vulnerabilities to CVE-2014-7191?
Similar Vulnerabilities: CVE-2017-1000189 , CVE-2017-16137 , CVE-2017-16113 , CVE-2019-15655 , CVE-2018-3720
