CVE-2025-15284

Name of the Vulnerable Software and Affected Versions qs versions prior to 6.14.1

Description A flaw exists in the qs (parse modules) library where the arrayLimit option does not properly enforce limits when using bracket notation in query strings, leading to a potential HTTP Denial of Service (DoS). The arrayLimit option only validates indexed notation (e.g., a[0]=1), but bypasses validation for bracket notation (e.g., a[]=1). This allows attackers to exhaust server memory by sending requests with a large number of array elements in bracket notation. The vulnerable code is located in lib/parse.js lines 159-162, where utils.combine([], leaf) is used without checking the arrayLimit. An attacker can exploit this by sending a crafted HTTP request to an API endpoint like /api/search with a query string containing numerous parameters using bracket notation, such as filters[]=x&filters[]=x&...&filters[]=x. The application then parses this query string using qs.parse() with a specified arrayLimit, but the library fails to enforce the limit, resulting in excessive memory consumption. The vulnerable parameter is the query string itself, specifically the values associated with array parameters like filters.

Recommendations Update qs to version 6.14.1 or later.