CVE-2025-15284
Unknown Unknown - Not Provided
Improper Input Validation in qs Parse Module Causes HTTP DoS

Publication date: 2025-12-29

Last updated on: 2026-02-26

Assigner: harborist

Description
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly. Details The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoC const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000. Impact Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2025-12-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-15284
EUVD
EUVD-2025-205660
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qs_project qs to 6.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an improper input validation issue in the 'qs' library's parse modules, specifically affecting versions before 6.14.1. The 'arrayLimit' option is intended to limit the number of array elements parsed from query strings. However, it only enforces limits for indexed notation (e.g., a[0]=1) and completely bypasses limits for bracket notation (e.g., a[]=1&a[]=2). This allows attackers to send HTTP requests with many bracket notation parameters, causing the parser to create very large arrays without limit checks, leading to memory exhaustion and denial of service.


How can this vulnerability impact me? :

The vulnerability can cause denial of service (DoS) by exhausting server memory. An attacker can send a single HTTP request with a very large number of parameters using bracket notation, bypassing the 'arrayLimit' protection. This causes the server to allocate excessive memory, potentially crashing the application or making it unresponsive, resulting in service unavailability for all users. No authentication is required, and the attack is easy to automate and scale, affecting any endpoint parsing query strings with bracket notation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the qs.parse() function with bracket notation query strings that exceed the configured arrayLimit. For example, you can run Node.js commands to parse a query string with multiple bracket notation parameters and check if the resulting array length exceeds the arrayLimit setting, indicating the vulnerability. Example commands: const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Or for a larger test: const attack = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) If the output array length exceeds the arrayLimit, the system is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of qs versions below 6.14.1, as the vulnerability affects qs versions less than 6.14.1. Additionally, do not rely solely on the arrayLimit option for DoS protection when using bracket notation, since it does not enforce limits properly. Consider updating the qs library to version 6.14.1 or later where this issue is fixed. Also, implement additional input validation or rate limiting on incoming HTTP requests to prevent excessive memory consumption from large arrays in query strings.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart