CVE-2026-2391

Name of the Vulnerable Software and Affected Versions qs (affected versions not specified)

Description The arrayLimit option in the qs library does not correctly enforce limits when parsing comma-separated values with the comma option enabled. This allows attackers to potentially cause a denial-of-service (DoS) condition by exhausting memory resources. The issue arises because the limit check occurs after the comma-handling logic, enabling a bypass of the intended array size restriction. Specifically, the split(',') function returns the array immediately, skipping the subsequent limit check. An attacker can send a single parameter containing a large number of commas (e.g., ?param=,,,,,,,,...) to allocate a massive array in memory, bypassing the arrayLimit setting. The vulnerable code is located in lib/parse.js lines 40-50. The arrayLimit check is bypassed when the comma option is set to true.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.