NULL pointer dereference in qs - CVE-2026-8723
Published: May 18, 2026
Vulnerability identifier: #VU131746
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-8723
CWE-ID: CWE-476
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: npm Inc.
Affected software:
qs
qs
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in qs.stringify when processing arrays with comma format and encodeValuesOnly enabled. A remote attacker can supply input containing null or undefined array elements to cause a denial of service.
In typical Node.js HTTP frameworks, the synchronous exception usually causes the affected request to return an error rather than terminating the worker process. The vulnerable input is reachable from JSON request bodies or from application code constructing arrays from user input.
How to mitigate CVE-2026-8723
Install security update from vendor's website.