All qs CVEs — Complete Vulnerability History
qs is a query string parser used by Express and hundreds of other packages. Prototype pollution via crafted query strings has been a recurring issue.
npm
100M+ weekly downloads
3 CVEs total
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2014-7191 | 2014 | HIGH | Prototype pollution via __proto__ in query strings | Fixed 1.0.0 |
| CVE-2017-1000048 | 2017 | HIGH | Prototype pollution bypass | Fixed 6.3.2 |
| CVE-2022-24999 | 2022 | 🔴HIGH | Prototype pollution — CISA KEV | Fixed 6.11.0 |
Current safe version: 6.11.0
# Before
"qs": "6.5.2"
# After
"qs": "6.11.0"
Then run: npm install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why does qs keep having prototype pollution CVEs?
Query string parsing that supports nested objects (a[b]=c) requires recursive object building — which is inherently vulnerable to prototype pollution if __proto__ keys aren't filtered. Each CVE was a new bypass of the previous fix.
Does updating Express fix qs?
Express 4.18.0+ bundles qs 6.11.0. Updating Express to 4.18.0+ is the easiest fix. If you can't update Express, use npm overrides to force a safe qs version.