Plattform
nodejs
Komponente
qs
Behoben in
1.0.0
CVE-2014-7191 is a denial-of-service (DoS) vulnerability affecting the qs module for Node.js. This vulnerability arises when the module processes specially crafted strings that lead to the creation of excessively large sparse arrays, ultimately exhausting system memory and causing the application to crash. The vulnerability impacts versions of qs prior to 1.0.0, and a fix is available in version 1.0.0 and later.
The primary impact of CVE-2014-7191 is a denial of service. Successful exploitation allows an attacker to crash the Node.js process handling requests that utilize the qs module. This can disrupt service availability for applications relying on this module for query string parsing. The blast radius is limited to the affected Node.js process; however, if this process handles critical application logic or serves a high volume of requests, the impact can be significant. While no direct data exfiltration is possible, the disruption of service could indirectly impact data availability and integrity.
CVE-2014-7191 was publicly disclosed in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is available, demonstrating the vulnerability's exploitability. It is not listed on the CISA KEV catalog. The vulnerability's severity is rated as HIGH with a CVSS score of 7.5.
Applications built with Node.js that utilize the qs module and are running versions prior to 1.0.0 are at risk. This includes web applications, APIs, and any other Node.js-based services that process external input data without proper validation.
• nodejs / server:
npm list qs• nodejs / server:
npm audit qs• nodejs / server: Check application logs for errors related to memory exhaustion or crashes after processing input data.
discovery
disclosure
Exploit-Status
EPSS
0.69% (72% Perzentil)
The recommended mitigation for CVE-2014-7191 is to upgrade the qs module to version 1.0.0 or later. This version contains the fix that prevents the excessive memory consumption caused by the crafted input. If upgrading is not immediately feasible, consider implementing input validation to sanitize query strings before passing them to the qs module. This could involve limiting the size or complexity of query strings. While not a complete solution, it can reduce the likelihood of exploitation. After upgrading, confirm the fix by attempting to parse a known malicious query string and verifying that the process does not crash.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2014-7191 is a denial-of-service vulnerability in the qs Node.js module. A crafted input string can cause excessive memory usage, leading to application crashes.
You are affected if your application uses the qs module and is running a version prior to 1.0.0. Check your project dependencies to determine if you are vulnerable.
Upgrade the qs module to version 1.0.0 or later using npm install qs@latest. Consider input validation as an interim measure.
There are currently no confirmed reports of active exploitation of CVE-2014-7191, but it remains a potential risk.
Refer to the Node Security Project advisory for details: https://www.npmjs.com/advisories/773
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.