Your message dated Wed, 24 Jun 2026 08:25:30 +0000
with message-id <[email protected]>
and subject line Bug#1137257: fixed in node-qs 6.15.2+ds+~6.15.1-1
has caused the Debian Bug report #1137257,
regarding node-qs: CVE-2026-8723
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137257: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137257
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-qs
Version: 6.15.0+ds+~6.15.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-qs.
CVE-2026-8723[0]:
| ### Summary `qs.stringify` throws `TypeError` when called with
| `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array
| containing `null` or `undefined`. The throw is synchronous and not
| handled by any of qs's null-related options (`skipNulls`,
| `strictNullHandling`). ### Details In the comma +
| `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array
| through the raw encoder before joining: ```js obj =
| utils.maybeMap(obj, encoder); ``` `utils.encode`
| (`lib/utils.js:195`) reads `str.length` with no null guard, so a
| `null` or `undefined` element throws `TypeError`. `skipNulls` and
| `strictNullHandling` are both checked in the per-element loop below
| this line and never get a chance to run. Same class of bug as the
| filter-array path fixed in 0c180a4. The vulnerable shape of the
| comma + `encodeValuesOnly` branch was introduced in 4c4b23d ("encode
| comma values more consistently", PR #463, 2023-01-19), first
| released in v6.11.1. #### PoC ```js const qs =
| require('qs'); qs.stringify({ a: [null, 'b'] }, {
| arrayFormat: 'comma', encodeValuesOnly: true }); qs.stringify({
| a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly:
| true }); qs.stringify({ a: [null] }, { arrayFormat:
| 'comma', encodeValuesOnly: true }); // TypeError: Cannot read
| properties of null (reading 'length') // at encode
| (lib/utils.js:195:13) // at Object.maybeMap
| (lib/utils.js:322:37) // at stringify
| (lib/stringify.js:145:25) ``` #### Fix
| `lib/stringify.js:145`, applied in 21f80b3 on `main` and released as
| v6.15.2: ```diff - obj = utils.maybeMap(obj, encoder); +
| obj = utils.maybeMap(obj, function (v) { + return v == null ?
| v : encoder(v); + }); ``` `null` and `undefined` now pass
| through `maybeMap` unchanged and reach the `join(',')` step as-is.
| For `{ a: [null, 'b'] }` this produces `a=,b`, matching the
| non-`encodeValuesOnly` comma path (which already joins before
| encoding and produces `a=%2Cb` for the same input). Single-element
| `[null]` arrays still collapse via the existing `obj.join(',') ||
| null` and remain subject to `skipNulls` / `strictNullHandling` in
| the main loop. ### Affected versions `>=6.11.1 <6.15.2` —
| fixed in v6.15.2. The vulnerable code shape was introduced in
| 4c4b23d and first shipped in v6.11.1. Earlier versions — including
| all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the
| comma + `encodeValuesOnly` path differently (joining before
| encoding) and are not affected. Empirically verified across released
| versions. ### Impact Application code that calls
| `qs.stringify` with both `arrayFormat: 'comma'` and
| `encodeValuesOnly: true` (both non-default) on input that may
| contain a `null` or `undefined` array element will throw
| synchronously instead of producing a query string. In a typical
| Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw
| is caught by the framework's error boundary and the affected request
| returns a 500; the worker process does not exit and subsequent
| requests are unaffected. The "kills the worker process" framing
| applies only to call sites outside a request-handler error boundary
| (background jobs, startup paths, stream pipelines) or to deployments
| with framework error handling explicitly disabled. The vulnerable
| input is a `null` or `undefined` entry inside an array; this is
| reachable from JSON request bodies or from application code
| constructing arrays from user input, but not from standard HTML form
| submissions (which produce strings or omitted fields, not literal
| `null`).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-8723
https://www.cve.org/CVERecord?id=CVE-2026-8723
[1] https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
[2] https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-qs
Source-Version: 6.15.2+ds+~6.15.1-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-qs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-qs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Jun 2026 10:07:32 +0200
Source: node-qs
Architecture: source
Version: 6.15.2+ds+~6.15.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1137257
Changes:
node-qs (6.15.2+ds+~6.15.1-1) unstable; urgency=medium
.
* Team upload
* New upstream version (Closes: #1137257, CVE-2026-8723)
* Unfuzz patches
Checksums-Sha1:
3c8cc4e9256f4a9ac959528db11e6fe72bcb0224 3018 node-qs_6.15.2+ds+~6.15.1-1.dsc
efc80571f1b119011726e2ee3b939a396f082b01 2544
node-qs_6.15.2+ds+~6.15.1.orig-types-qs.tar.xz
06f30e93a73f8caa6309c7506920b99ee9597375 11091936
node-qs_6.15.2+ds+~6.15.1.orig.tar.xz
29408b5723f60ac5711652ab21c9b10253cb1842 8956
node-qs_6.15.2+ds+~6.15.1-1.debian.tar.xz
Checksums-Sha256:
ae6ec677e42d5c484b3aec8a362d8e40766ad4b7caddbfb3c96da72f17429d4d 3018
node-qs_6.15.2+ds+~6.15.1-1.dsc
d9f097b86129fd65adb3cba3f3096691da0cb17c4e32931b15d18f4036213753 2544
node-qs_6.15.2+ds+~6.15.1.orig-types-qs.tar.xz
21e2ce106e90e64b03184339923ce6ce404fb536fffd4a951d2d3a4299d51d5b 11091936
node-qs_6.15.2+ds+~6.15.1.orig.tar.xz
44ded9759d2f094dd44438a97ffb9c0da3bd9d4bbae824679264b55226e29684 8956
node-qs_6.15.2+ds+~6.15.1-1.debian.tar.xz
Files:
58ace3caebb8333be10ee6febcc26777 3018 javascript optional
node-qs_6.15.2+ds+~6.15.1-1.dsc
ac0a6f01c0c9f6aa71b189e05a0ee1ee 2544 javascript optional
node-qs_6.15.2+ds+~6.15.1.orig-types-qs.tar.xz
a92c5d4fdf0bc8f0eb9585c4eaa6803e 11091936 javascript optional
node-qs_6.15.2+ds+~6.15.1.orig.tar.xz
31adcc8cf0c77ca77d1d6f1de73dcd79 8956 javascript optional
node-qs_6.15.2+ds+~6.15.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7kJcACgkQ9tdMp8mZ
7unrXA/+N94sYUoS4CFwtd2FFomo9E9wTYU4CXpWO8Sz0R4jMNxtlO620LhdE8AQ
+apONGxAqxqigyqo/r49VdTR1P/0ya1fDkud02jwD0ToCFjgQia3dmnIaK3U+5JV
A9eNzgIZbmBPxaEyFDwHcBUqG/QJIF/MFgQBjqbAw8ldEiqb2HQ98OhQYaopU5W4
GhsNfb4B7EhZroavV9JMWCAzGMB4UHp5PApuwLyTj+2oX5FHetqJTCZbVEFiGUbM
aF0FnpBBxM9vF2Ii16Jjkm2nvCU+wHSXakody9X6BpWHjlnU0ht9fjXBUbJeMUmZ
5oHMILzr9vYYp21ZBasjUUwoqyVc5YOzqvluNjjWkwEqeW5x+5AGVWGjMn+E9ARV
K7JCsTfiv1roDl0EFtyJ3FMPeCRyzTJ79/WLGKChe++zl1zxA08YRfCFthEJyCw7
d4otu7gcd073a2qian1tsiQLgQPmtZP7FHfq7Jz2N6yiz7Z6VQZjkEFmP5+Lzdv3
aLtTyuOaeY3zMm4HcU5EUpIg0rDjOxWpNcSFqYxQl+i+PbrHJKAcB2iGbcu90zBX
PYz5f5yibJ4IiHBkAsAqJHUYk3X0YLMZurTPhauwPhV8jgrrGiGqWQx/mal+baLa
bdz22vxNB9MMS4CSE4qzN7033GR0Y8Cp0awsWJeferp8rDmlItQ=
=Ksrv
-----END PGP SIGNATURE-----
pgptAgUqRtyrm.pgp
Description: PGP signature
--- End Message ---
