SB2026051892 - NULL pointer dereference in qs

Description

This security bulletin contains information about 1 vulnerability.

1) NULL pointer dereference (CVE-ID: CVE-2026-8723)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to null pointer dereference in qs.stringify when processing arrays with comma format and encodeValuesOnly enabled. A remote attacker can supply input containing null or undefined array elements to cause a denial of service.

In typical Node.js HTTP frameworks, the synchronous exception usually causes the affected request to return an error rather than terminating the worker process. The vulnerable input is reachable from JSON request bodies or from application code constructing arrays from user input.

Remediation

Install update from vendor's website.

References

• https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
• https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41