CVE-2025-15284 - Vulnerability Details

Link	Providers
https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9
https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p

Type	Values Removed	Values Added
Description		Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 - Basic bypass: npm install qs const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 - DoS demonstration: const qs = require('qs'); const attack = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation
Title		arrayLimit bypass in bracket notation allows DoS via memory exhaustion
Weaknesses		CWE-20
References		https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9 https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15284", "assignerOrgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "state": "PUBLISHED", "assignerShortName": "harborist", "dateReserved": "2025-12-29T21:36:51.399Z", "datePublished": "2025-12-29T22:56:45.240Z", "dateUpdated": "2025-12-29T22:56:45.240Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://npmjs.com/qs", "defaultStatus": "affected", "modules": ["parse"], "packageName": "qs", "repo": "https://github.com/ljharb/qs", "versions": [{"status": "affected", "version": "< 6.14.1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.<p>This issue affects qs: < 6.14.1.</p><h3><br>Summary</h3><p>The <code>arrayLimit</code> option in qs does not enforce limits for bracket notation (<code>a[]=1&a[]=2</code>), allowing attackers to cause denial-of-service via memory exhaustion. Applications using <code>arrayLimit</code> for DoS protection are vulnerable.</p><h3>Details</h3><p>The <code>arrayLimit</code> option only checks limits for indexed notation (<code>a[0]=1&a[1]=2</code>) but completely bypasses it for bracket notation (<code>a[]=1&a[]=2</code>).</p><p><strong>Vulnerable code</strong> (<code>lib/parse.js:159-162</code>):</p><div><pre>if (root === '[]' && options.parseArrays) {\n obj = utils.combine([], leaf); // No arrayLimit check\n}</pre><div></div></div><p><strong>Working code</strong> (<code>lib/parse.js:175</code>):</p><div><pre>else if (index <= options.arrayLimit) { // Limit checked here\n obj = [];\n obj[index] = leaf;\n}</pre><div></div></div><p>The bracket notation handler at line 159 uses <code>utils.combine([], leaf)</code> without validating against <code>options.arrayLimit</code>, while indexed notation at line 175 checks <code>index <= options.arrayLimit</code> before creating arrays.</p><h3>PoC</h3><p><strong>Test 1 - Basic bypass:</strong></p><div><pre>npm install qs</pre><div></div></div><div><pre>const qs = require('qs');\nconst result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });\nconsole.log(result.a.length); // Output: 6 (should be max 5)</pre><div></div></div><p><strong>Test 2 - DoS demonstration:</strong></p><div><pre>const qs = require('qs');\nconst attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');\nconst result = qs.parse(attack, { arrayLimit: 100 });\nconsole.log(result.a.length); // Output: 10000 (should be max 100)</pre><div></div></div><p><strong>Configuration:</strong></p><ul><li><code>arrayLimit: 5</code> (test 1) or <code>arrayLimit: 100</code> (test 2)</li><li>Use bracket notation: <code>a[]=value</code> (not indexed <code>a[0]=value</code>)</li></ul><h3>Impact</h3><p>Denial of Service via memory exhaustion. Affects applications using <code>qs.parse()</code> with user-controlled input and <code>arrayLimit</code> for protection.</p><p><strong>Attack scenario:</strong></p><ol><li>Attacker sends HTTP request: <code>GET /api/search?filters[]=x&filters[]=x&...&filters[]=x</code> (100,000+ times)</li><li>Application parses with <code>qs.parse(query, { arrayLimit: 100 })</code></li><li>qs ignores limit, parses all 100,000 elements into array</li><li>Server memory exhausted \u2192 application crashes or becomes unresponsive</li><li>Service unavailable for all users</li></ol><p><strong>Real-world impact:</strong></p><ul><li>Single malicious request can crash server</li><li>No authentication required</li><li>Easy to automate and scale</li><li>Affects any endpoint parsing query strings with bracket notation</li></ul>"}], "value": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.\n\n\nSummaryThe arrayLimit\u00a0option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit\u00a0for DoS protection are vulnerable.\n\nDetailsThe arrayLimit\u00a0option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).\n\nVulnerable code\u00a0(lib/parse.js:159-162):\n\nif (root === '[]' && options.parseArrays) {\n obj = utils.combine([], leaf); // No arrayLimit check\n}\n\n\n\n\n\nWorking code\u00a0(lib/parse.js:175):\n\nelse if (index <= options.arrayLimit) { // Limit checked here\n obj = [];\n obj[index] = leaf;\n}\n\n\n\n\n\nThe bracket notation handler at line 159 uses utils.combine([], leaf)\u00a0without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit\u00a0before creating arrays.\n\nPoCTest 1 - Basic bypass:\n\nnpm install qs\n\n\n\n\n\nconst qs = require('qs');\nconst result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });\nconsole.log(result.a.length); // Output: 6 (should be max 5)\n\n\n\n\n\nTest 2 - DoS demonstration:\n\nconst qs = require('qs');\nconst attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');\nconst result = qs.parse(attack, { arrayLimit: 100 });\nconsole.log(result.a.length); // Output: 10000 (should be max 100)\n\n\n\n\n\nConfiguration:\n\n * arrayLimit: 5\u00a0(test 1) or arrayLimit: 100\u00a0(test 2)\n * Use bracket notation: a[]=value\u00a0(not indexed a[0]=value)\n\n\nImpactDenial of Service via memory exhaustion. Affects applications using qs.parse()\u00a0with user-controlled input and arrayLimit\u00a0for protection.\n\nAttack scenario:\n\n * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x\u00a0(100,000+ times)\n * Application parses with qs.parse(query, { arrayLimit: 100 })\n * qs ignores limit, parses all 100,000 elements into array\n * Server memory exhausted \u2192 application crashes or becomes unresponsive\n * Service unavailable for all users\nReal-world impact:\n\n * Single malicious request can crash server\n * No authentication required\n * Easy to automate and scale\n * Affects any endpoint parsing query strings with bracket notation"}], "impacts": [{"capecId": "CAPEC-469", "descriptions": [{"lang": "en", "value": "CAPEC-469 HTTP DoS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "shortName": "harborist", "dateUpdated": "2025-12-29T22:56:45.240Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"}, {"tags": ["patch"], "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"}], "source": {"discovery": "UNKNOWN"}, "title": "arrayLimit bypass in bracket notation allows DoS via memory exhaustion", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.\n\n\nSummaryThe arrayLimit\u00a0option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit\u00a0for DoS protection are vulnerable.\n\nDetailsThe arrayLimit\u00a0option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).\n\nVulnerable code\u00a0(lib/parse.js:159-162):\n\nif (root === '[]' && options.parseArrays) {\n obj = utils.combine([], leaf); // No arrayLimit check\n}\n\n\n\n\n\nWorking code\u00a0(lib/parse.js:175):\n\nelse if (index <= options.arrayLimit) { // Limit checked here\n obj = [];\n obj[index] = leaf;\n}\n\n\n\n\n\nThe bracket notation handler at line 159 uses utils.combine([], leaf)\u00a0without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit\u00a0before creating arrays.\n\nPoCTest 1 - Basic bypass:\n\nnpm install qs\n\n\n\n\n\nconst qs = require('qs');\nconst result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });\nconsole.log(result.a.length); // Output: 6 (should be max 5)\n\n\n\n\n\nTest 2 - DoS demonstration:\n\nconst qs = require('qs');\nconst attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');\nconst result = qs.parse(attack, { arrayLimit: 100 });\nconsole.log(result.a.length); // Output: 10000 (should be max 100)\n\n\n\n\n\nConfiguration:\n\n * arrayLimit: 5\u00a0(test 1) or arrayLimit: 100\u00a0(test 2)\n * Use bracket notation: a[]=value\u00a0(not indexed a[0]=value)\n\n\nImpactDenial of Service via memory exhaustion. Affects applications using qs.parse()\u00a0with user-controlled input and arrayLimit\u00a0for protection.\n\nAttack scenario:\n\n * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x\u00a0(100,000+ times)\n * Application parses with qs.parse(query, { arrayLimit: 100 })\n * qs ignores limit, parses all 100,000 elements into array\n * Server memory exhausted \u2192 application crashes or becomes unresponsive\n * Service unavailable for all users\nReal-world impact:\n\n * Single malicious request can crash server\n * No authentication required\n * Easy to automate and scale\n * Affects any endpoint parsing query strings with bracket notation"}], "id": "CVE-2025-15284", "lastModified": "2025-12-29T23:15:42.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "type": "Secondary"}]}, "published": "2025-12-29T23:15:42.703", "references": [{"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"}, {"source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"}], "sourceIdentifier": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object