Skip to main content
40M Monthly Downloads, 3 Days to PatchIncident
4 min readFor Security Engineers

40M Monthly Downloads, 3 Days to Patch

What Happened

On February 13th, a high-severity prototype override protection bypass vulnerability was discovered in the qs npm package. This package, which parses query strings, recorded nearly 40 million downloads in the past month. A fix was released three days later.

The vulnerability allowed attackers to bypass protections meant to prevent malicious query string parameters from altering JavaScript object prototypes. Successful exploitation could silently modify application behavior by injecting properties into base objects that all other objects inherit from.

Timeline

Day 0 (February 13th): Vulnerability discovered in qs package
Day 3 (February 16th): Patch released

This rapid 72-hour timeline from discovery to fix is impressive. However, the critical question for your team is: how quickly did you deploy the patch?

Which Controls Failed or Were Missing

The core issue wasn't with the qs package itself—open source maintainers addressed the issue promptly. The failures occurred downstream, in teams using the package:

No Continuous Dependency Scanning. If you're only checking dependencies during npm install for new features, you're missing vulnerabilities in packages installed months ago. The qs package was likely already in your dependency tree when this vulnerability was announced.

No Automated Patch Deployment for Dependencies. Even teams receiving vulnerability alerts often lack a process to evaluate, test, and deploy updates swiftly. While three days from disclosure to patch is fast for maintainers, how fast is your update cycle?

Missing Software Bill of Materials (SBOM). Many teams cannot quickly identify which applications use qs without manually checking package.json files across repositories. When a vulnerability emerges in a package with 40 million monthly downloads, you need an inventory of exposure within hours.

No Prototype Pollution Testing. The vulnerability bypassed existing protections, indicating that original safeguards were incomplete. Teams relying solely on upstream package protections—without validating those protections or implementing defense-in-depth—discovered their assumptions were flawed only after the CVE was disclosed.

What the Relevant Standard Requires

PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software be reviewed before release to identify and correct coding vulnerabilities. While qs isn't your custom code, your application's dependency management process falls under this requirement. You need a defined process for identifying vulnerabilities in all software components, including third-party libraries.

PCI DSS v4.0.1 Requirement 6.3.3 requires addressing security vulnerabilities based on a risk ranking. A high-severity vulnerability in a package with 40 million monthly downloads—used for parsing user input—ranks high. Your risk assessment must consider both technical severity and exposure surface.

OWASP Top 10 2021: A06:2021 – Vulnerable and Outdated Components directly addresses this scenario. The guidance is clear: maintain an inventory of client-side and server-side components, continuously monitor for vulnerabilities, and have a patch management process that can respond to disclosed vulnerabilities.

ISO/IEC 27001:2022 Control 8.8 requires obtaining timely information about technical vulnerabilities, evaluating exposure, and taking appropriate measures. "Timely" for a high-severity vulnerability in a parsing library should be measured in days, not weeks.

NIST 800-53 Rev 5 SI-2 requires identifying, reporting, and correcting system flaws, testing updates before installation, and installing security-relevant updates within organization-defined time periods. If your organization hasn't defined those time periods for different severity levels, you're not compliant with the control.

Lessons and Action Items for Your Team

Implement Continuous Dependency Scanning. Tools like Snyk, GitHub Dependabot, or Sonatype Nexus Lifecycle should run against your repositories daily, not just on commit. When a new vulnerability is published, you need alerts within hours.

Define SLA-Based Patching Windows by Severity. High-severity vulnerabilities in packages that parse user input should have a 7-day remediation window maximum. Critical vulnerabilities with active exploits: 72 hours. Document these windows and track compliance.

Build an SBOM for Every Application. Use npm list or dedicated SBOM tools to generate a complete dependency graph. Store these in a central location. When the next qs-style vulnerability emerges, you need to answer "which apps are affected?" in minutes.

Test for Prototype Pollution in Your Security Testing. Don't assume upstream packages handle this correctly. Add test cases that attempt to inject __proto__, constructor, and prototype properties through query strings, JSON bodies, and other user input vectors. Verify your application rejects these attempts.

Automate Dependency Updates for Patch Versions. Configure Dependabot or Renovate to automatically open PRs for patch-level updates. Run your test suite against these updates automatically. If tests pass, merge within 24 hours. This reduces your response time from "someone needs to notice and create a PR" to "someone needs to review passing tests."

Create a Dependency Update Runbook. Document who evaluates the vulnerability, who tests the update, who approves deployment, and what testing is required before production. When a vulnerability drops on Friday afternoon, you need a process that doesn't depend on everyone being available.

Review Your Transitive Dependencies. The qs package might be in your dependency tree because another package depends on it. Run npm ls qs to see the full chain. If a package you depend on is pulling in vulnerable versions of its dependencies, you need to either upgrade the parent package or find an alternative.

The qs vulnerability was fixed in three days. The real question is: how many days passed before your production applications were patched?

Topics:Incident

You Might Also Like