diff --git a/lib/querystring.js b/lib/querystring.js
index b034635668faa8..62404b75c7a717 100644
--- a/lib/querystring.js
+++ b/lib/querystring.js
@@ -138,7 +138,12 @@ QueryString.escape = function(str) {
     }
     // Surrogate pair
     ++i;
-    c = 0x10000 + (((c & 0x3FF) << 10) | (str.charCodeAt(i) & 0x3FF));
+    var c2;
+    if (i < str.length)
+      c2 = str.charCodeAt(i) & 0x3FF;
+    else
+      throw new URIError('URI malformed');
+    c = 0x10000 + (((c & 0x3FF) << 10) | c2);
     out += hexTable[0xF0 | (c >> 18)] +
            hexTable[0x80 | ((c >> 12) & 0x3F)] +
            hexTable[0x80 | ((c >> 6) & 0x3F)] +
diff --git a/test/parallel/test-querystring.js b/test/parallel/test-querystring.js
index b4388852499ed1..2db59be1750da2 100644
--- a/test/parallel/test-querystring.js
+++ b/test/parallel/test-querystring.js
@@ -139,6 +139,11 @@ qsWeirdObjects.forEach(function(testCase) {
   assert.equal(testCase[1], qs.stringify(testCase[0]));
 });
 
+// invalid surrogate pair throws URIError
+assert.throws(function() {
+  qs.stringify({ foo: '\udc00' });
+}, URIError);
+
 // coerce numbers to string
 assert.strictEqual('foo=0', qs.stringify({ foo: 0 }));
 assert.strictEqual('foo=0', qs.stringify({ foo: -0 }));