CVE-2014-10064
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
El módulo qs en versiones anteriores a la 1.0.0 no tiene una opción o configuración por defecto para especificar la profundidad del objeto y, al analizar una cadena que representa un objeto profundamente anidado, bloqueará el bucle de eventos durante largos períodos de tiempo. Un atacante podría aprovecharse de esto para provocar una condición de denegación de servicio (DoS), por ejemplo, en una aplicación web; otras peticiones no se procesarían mientras ocurre este bloqueo.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-29 CVE Reserved
- 2018-05-31 CVE Published
- 2024-03-05 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://nodesecurity.io/advisories/28 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qs Project Search vendor "Qs Project" | Qs Search vendor "Qs Project" for product "Qs" | < 1.0.0 Search vendor "Qs Project" for product "Qs" and version " < 1.0.0" | node.js |
Affected
| ||||||