qs Library TypeError Vulnerability in Stringify Function with Comma Array Format

A vulnerability in the 'qs' library's 'stringify' function can lead to a TypeError. This issue arises when 'arrayFormat' is set to 'comma' and 'encodeValuesOnly' is true, while the array contains null or undefined elements. The error occurs because the 'stringify' function attempts to encode these nullish values without proper handling, causing a synchronous crash. This vulnerability affects 'qs' versions 6.11.1 through 6.15.1, excluding 6.15.2, where the issue has been fixed.

Impact

This vulnerability causes a synchronous TypeError, disrupting the application flow. In Node.js HTTP frameworks like Express or Fastify, this error is caught and results in a 500 response, although it does not crash the worker process. However, in background jobs or streams, the error can halt the process.

Reproduction

To reproduce this vulnerability, use 'qs.stringify' with 'arrayFormat' set to 'comma' and 'encodeValuesOnly' set to true. Include an array element that is null or undefined. The function will throw a TypeError, indicating that it cannot read the length property of the null or undefined value.

Remediation

Users can update to 'qs' version 6.15.2 or later, where this vulnerability has been patched.