{"id":"UBUNTU-CVE-2014-10064","details":"The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.","modified":"2025-09-08T16:43:18Z","published":"2018-05-31T20:29:00Z","upstream":["CVE-2014-10064"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-10064"},{"type":"REPORT","url":"https://nodesecurity.io/advisories/28"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2014-10064"}],"affected":[{"package":{"name":"node-qs","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/node-qs@0.6.5-1ubuntu0.1~esm1?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.4.2-1","0.6.5-1","0.6.5-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.6.5-1ubuntu0.1~esm1","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2014/UBUNTU-CVE-2014-10064.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}