CVE-2026-2391
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service via Array Limit Bypass in qs Comma Parsing

Publication date: 2026-02-12

Last updated on: 2026-02-24

Assigner: harborist

Description
### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284). ### Details When the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a', 'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation. **Vulnerable code** (lib/parse.js: lines ~40-50): ```js if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) { Β  Β  return val.split(','); } if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) { Β  Β  throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); } return val; ``` The `split(',')` returns the array immediately, skipping the subsequent limit check. Downstream merging via `utils.combine` does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`), allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`, which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p). ### PoC **Test 1 - Basic bypass:** ``` npm install qs ``` ```js const qs = require('qs'); const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit: 5) const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true }; try { Β  const result = qs.parse(payload, options); Β  console.log(result.a.length); // Outputs: 26 (bypass successful) } catch (e) { Β  console.log('Limit enforced:', e.message); // Not thrown } ``` **Configuration:** - `comma: true` - `arrayLimit: 5` - `throwOnLimitExceeded: true` Expected: Throws "Array limit exceeded" error. Actual: Parses successfully, creating an array of length 26. ### Impact Denial of Service (DoS) via memory exhaustion.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-24
Generated
2026-05-07
AI Q&A
2026-02-12
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2391
EUVD
EUVD-2026-6720
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qs_project qs From 6.7.0 (inc) to 6.14.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "This vulnerability exists in the 'qs' library's parsing function when the 'comma' option is enabled. Normally, the 'arrayLimit' option restricts the maximum number of elements allowed in arrays parsed from query strings. However, when parsing comma-separated values (e.g., '?param=a,b,c'), the limit check is bypassed because the code immediately returns the array created by splitting the string on commas without enforcing the 'arrayLimit'."}, {'type': 'paragraph', 'content': 'As a result, an attacker can craft a single query parameter containing millions of commas, causing the parser to allocate a very large array in memory. This leads to excessive memory consumption and can cause a denial-of-service (DoS) condition by exhausting system resources.'}, {'type': 'paragraph', 'content': "This bypass is similar to a previously fixed issue with bracket notation parsing but specifically affects comma-separated value parsing when 'comma: true' is set."}] [2]


How can this vulnerability impact me? :

The primary impact of this vulnerability is a denial-of-service (DoS) attack via memory exhaustion. An attacker can send a specially crafted query string with a single parameter containing an extremely large number of commas, causing the application to allocate a massive array in memory.

This excessive memory allocation can degrade system performance, cause crashes, or make the application unresponsive, potentially disrupting service availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if the qs library in your application improperly parses query strings with the comma option enabled, allowing arrays to exceed the configured arrayLimit without throwing an error.'}, {'type': 'paragraph', 'content': 'A practical way to detect this is to run a test script that parses a query string parameter containing many commas with the options { comma: true, arrayLimit: 5, throwOnLimitExceeded: true } and observe if the parser throws an error or returns an array exceeding the limit.'}, {'type': 'paragraph', 'content': 'Example Node.js test command:'}, {'type': 'list_item', 'content': 'npm install qs'}, {'type': 'list_item', 'content': 'Create a test script with the following code:'}, {'type': 'list_item', 'content': "```js\nconst qs = require('qs');\nconst payload = 'a=' + ','.repeat(25); // 26 elements after split\nconst options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };\ntry {\n const result = qs.parse(payload, options);\n console.log('Array length:', result.a.length); // If > arrayLimit, vulnerability exists\n} catch (e) {\n console.log('Limit enforced:', e.message);\n}\n```"}, {'type': 'paragraph', 'content': 'If the output shows an array length greater than the arrayLimit without throwing an error, the vulnerability is present.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the qs library to version 6.14.2 or later, where the issue has been fixed.

The fix enforces the arrayLimit option correctly on comma-separated values by checking the array length after splitting and throwing an error or truncating the array if the limit is exceeded.

If updating is not immediately possible, consider disabling the comma option or implementing additional input validation to limit the size of arrays parsed from query strings.

Monitor and restrict incoming query strings that contain excessively long comma-separated values to prevent memory exhaustion.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart