CVE-2026-8723 ljharb CVE debrief

Who should care

Teams that use qs to serialize user-controlled or application-built arrays, especially in Node.js services that pass arrayFormat:"comma" and encodeValuesOnly:true. Review request-handling, background job, and startup code paths that may stringify arrays containing null or undefined values.

Technical summary

According to the source description, the vulnerable branch in lib/stringify.js mapped comma-formatted arrays through the raw encoder before joining. That meant utils.encode could read str.length on a null or undefined value and throw immediately. The null-handling options skipNulls and strictNullHandling were checked later in the per-element loop, so they did not prevent the exception. The issue affects qs >=6.11.1 <6.15.2 and was fixed by wrapping the encoder so null and undefined pass through unchanged before the join step.

Defensive priority

Medium. The impact is a synchronous exception and service interruption for affected call sites, not a memory-safety issue. Prioritize if your code uses qs stringify on untrusted or loosely validated arrays with the comma format and encodeValuesOnly enabled.

Recommended defensive actions

• Upgrade qs to v6.15.2 or later.
• Search for qs.stringify calls that combine arrayFormat:"comma" with encodeValuesOnly:true.
• Add input validation or normalization so arrays passed to stringify do not contain null or undefined where this option set is used.
• Review upstream advisories and release notes for qs before backporting a fix.
• Add tests covering null and undefined array elements in comma serialization paths.

Evidence notes

This debrief is based on the supplied NVD CVE record and the referenced GitHub commit and security advisory for qs. The record states the vulnerable range as >=6.11.1 <6.15.2 and references commit 21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41 and advisory GHSA-q8mj-m7cp-5q26. NVD weakness mapping lists CWE-476. The source record status is Received at the time of the supplied data.

Official resources