Platform
nodejs
Component
qs
Fixed in
1.0.0
CVE-2014-7191 is a denial-of-service (DoS) vulnerability affecting the qs module for Node.js. This vulnerability arises when the module processes specially crafted strings that lead to the creation of excessively large sparse arrays, ultimately exhausting system memory and causing the application to crash. The vulnerability impacts versions of qs prior to 1.0.0, and a fix is available in version 1.0.0 and later.
An attacker can exploit this vulnerability by sending a malicious string to an application using the qs module. This string, when parsed, triggers the creation of a very large sparse array in memory. The sheer size of this array consumes significant system resources, leading to memory exhaustion. As the application attempts to allocate more memory, it will likely crash, resulting in a denial of service. The blast radius is limited to the affected Node.js application; however, a successful attack could disrupt service availability for users relying on that application. This vulnerability highlights the importance of validating and sanitizing input data to prevent resource exhaustion attacks.
CVE-2014-7191 is not currently listed on KEV. The EPSS score is likely low, given the lack of public exploitation reports. No public proof-of-concept (PoC) code is readily available. The vulnerability was published on 2017-10-24.
Exploit Status
EPSS
0.69% (72% percentile)
The primary mitigation for CVE-2014-7191 is to upgrade the qs module to version 1.0.0 or later. This version includes a fix that prevents the creation of excessively large sparse arrays. If upgrading is not immediately feasible, consider implementing input validation to reject or sanitize strings that are likely to trigger the vulnerability. While not a complete solution, this can reduce the attack surface. Additionally, consider implementing resource limits within the Node.js application to prevent a single process from consuming excessive memory. After upgrading, confirm the fix by attempting to parse a known malicious string and verifying that the application does not crash.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2014-7191 is a denial-of-service vulnerability in the qs Node.js module. A crafted input string can cause excessive memory usage, leading to application crashes.
You are affected if your application uses the qs module and is running a version prior to 1.0.0. Check your project dependencies to determine if you are vulnerable.
Upgrade the qs module to version 1.0.0 or later using npm install qs@latest. Consider input validation as an interim measure.
There are currently no confirmed reports of active exploitation of CVE-2014-7191, but it remains a potential risk.
Refer to the Node Security Project advisory for details: https://www.npmjs.com/advisories/773
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.