Samipmainali

**Name of the Vulnerable Software and Affected Versions** qs versions prior to 6.14.1 **Description** A flaw exists in the qs (parse modules) library where the `arrayLimit` option does not properly enforce limits when using bracket notation in query strings, leading to a potential HTTP Denial of Service (DoS). The `arrayLimit` option only validates indexed notation (e.g., `a[0]=1`), but bypasses validation for bracket notation (e.g., `a[]=1`). This allows attackers to exhaust server memory by sending requests with a large number of array elements in bracket notation. The vulnerable code is located in `lib/parse.js` lines 159-162, where `utils.combine([], leaf)` is used without checking the `arrayLimit`. An attacker can exploit this by sending a crafted HTTP request to an **API endpoint** like `/api/search` with a query string containing numerous parameters using bracket notation, such as `filters[]=x&filters[]=x&...&filters[]=x`. The application then parses this query string using `qs.parse()` with a specified `arrayLimit`, but the library fails to enforce the limit, resulting in excessive memory consumption. The vulnerable parameter is the query string itself, specifically the values associated with array parameters like `filters`. **Recommendations** Update qs to version 6.14.1 or later.