CVE-2026-8723 – qs.stringify crashes on null/undefined entries in comma-format arrays under encodeValuesOnly

CVE ID :CVE-2026-8723

Published : May 17, 2026, 12:16 a.m. | 1 hour, 41 minutes ago

Description :### Summary

`qs.stringify` throws `TypeError` when called with `arrayFormat: ‘comma’` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs’s null-related options (`skipNulls`, `strictNullHandling`).

### Details

In the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining:

“`js

obj = utils.maybeMap(obj, encoder);

“`

`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run.

Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d (“encode comma values more consistently”, PR #463, 2023-01-19), first released in v6.11.1.

#### PoC

“`js

const qs = require(‘qs’);

qs.stringify({ a: [null, ‘b’] }, { arrayFormat: ‘comma’, encodeValuesOnly: true });

qs.stringify({ a: [undefined, ‘b’] }, { arrayFormat: ‘comma’, encodeValuesOnly: true });

qs.stringify({ a: [null] }, { arrayFormat: ‘comma’, encodeValuesOnly: true });

// TypeError: Cannot read properties of null (reading ‘length’)

// at encode (lib/utils.js:195:13)

// at Object.maybeMap (lib/utils.js:322:37)

// at stringify (lib/stringify.js:145:25)

“`

#### Fix

`lib/stringify.js:145`, applied in 21f80b3 on `main` and released as v6.15.2:

“`diff

– obj = utils.maybeMap(obj, encoder);

+ obj = utils.maybeMap(obj, function (v) {

+ return v == null ? v : encoder(v);

+ });

“`

`null` and `undefined` now pass through `maybeMap` unchanged and reach the `join(‘,’)` step as-is. For `{ a: [null, ‘b’] }` this produces `a=,b`, matching the non-`encodeValuesOnly` comma path (which already joins before encoding and produces `a=%2Cb` for the same input). Single-element `[null]` arrays still collapse via the existing `obj.join(‘,’) || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop.

### Affected versions

`>=6.11.1
Severity: 6.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8719 – AI Engine 3.4.9 – Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token

CVE-2026-8728 – Open5GS NRF conv.c ogs_sbi_discovery_option_parse_plmn_list denial of service

CVE-2026-8725 – CoreWorxLab CAAL test-hass Endpoint webhooks.py server-side request forgery

CVE-2026-8724 – Dataease Data Dashboard SqlparserUtils.java SqlparserUtils.transFilter sql injection