qs-6.14.0.tgz: 1 vulnerabilities (highest severity is: 7.5) #11150
Description
Vulnerable Library - qs-6.14.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.14.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/qs-npm-6.14.0-6b298311eb-10c0.zip
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (qs version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-15284 |  High |
7.5 | qs-6.14.0.tgz | Direct | 6.14.1 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-15284
Vulnerable Library - qs-6.14.0.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.14.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/qs-npm-6.14.0-6b298311eb-10c0.zip
Dependency Hierarchy:
- ❌ qs-6.14.0.tgz (Vulnerable Library)
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 - Basic bypass: npm install qs const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 - DoS demonstration: const qs = require('qs'); const attack = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation
Publish Date: 2025-12-29
URL: CVE-2025-15284
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: 2025-12-29
Fix Resolution: 6.14.1
Step up your Open Source Security Game with Mend here