TypeError in qs.stringify Method of QS Library for Node.js
CVE-2026-8723

6.3MEDIUM

Key Information:

Vendor: Ljharb
Status: Qs
Vendor: CVE Published:; 16 May 2026

What is CVE-2026-8723?

A TypeError occurs in the QS library when the stringify method is called with both 'arrayFormat: comma' and 'encodeValuesOnly: true' on arrays containing null or undefined values. This results in synchronous throwing of an error, leading to potential failure in request handling processes across Node.js frameworks like Express and Fastify. The issue emerges from an unguarded reference to the length property of null or undefined elements during array mapping. The vulnerability affects versions 6.11.1 to 6.15.1, with a fix introduced in version 6.15.2 to gracefully handle such cases without throwing errors.

Affected Version(s)

qs 6.11.1 < 6.15.2

References

https://github.com/ljharb/qs/security/advisories/GHSA-q8m...

vendor-advisory

https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba10...

patch

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2026
Vulnerability Reserved
May 16, 2026

Credit

joannalange

CVE-2026-8723 Data

JSON

Ljharb

What is CVE-2026-8723?

Affected Version(s)

References

CVSS V4

Timeline

Credit