Source: node-qs
Version: 6.13.0+ds+~6.9.16-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-qs.
CVE-2025-15284[0]:
| Improper Input Validation vulnerability in qs (parse modules) allows
| HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe
| arrayLimit option in qs does not enforce limits for bracket notation
| (a[]=1&a[]=2), allowing attackers to cause denial-of-service via
| memory exhaustion. Applications using arrayLimit for DoS protection
| are vulnerable. DetailsThe arrayLimit option only checks limits for
| indexed notation (a[0]=1&a[1]=2) but completely bypasses it for
| bracket notation (a[]=1&a[]=2). Vulnerable
| code (lib/parse.js:159-162): if (root === '[]' &&
| options.parseArrays) { obj = utils.combine([], leaf); // No
| arrayLimit check } Working code (lib/parse.js:175): else if
| (index <= options.arrayLimit) { // Limit checked here obj = [];
| obj[index] = leaf; } The bracket notation handler at line 159
| uses utils.combine([], leaf) without validating against
| options.arrayLimit, while indexed notation at line 175 checks index
| <= options.arrayLimit before creating arrays. PoCTest 1 - Basic
| bypass: npm install qs const qs = require('qs'); const result
| = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5
| }); console.log(result.a.length); // Output: 6 (should be max 5)
| Test 2 - DoS demonstration: const qs = require('qs'); const attack
| = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result =
| qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length);
| // Output: 10000 (should be max 100) Configuration: *
| arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket
| notation: a[]=value (not indexed a[0]=value) ImpactDenial of
| Service via memory exhaustion. Affects applications using
| qs.parse() with user-controlled input and arrayLimit for protection.
| Attack scenario: * Attacker sends HTTP request: GET
| /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
| * Application parses with qs.parse(query, { arrayLimit: 100 }) *
| qs ignores limit, parses all 100,000 elements into array * Server
| memory exhausted → application crashes or becomes unresponsive *
| Service unavailable for all users Real-world impact: * Single
| malicious request can crash server * No authentication required
| * Easy to automate and scale * Affects any endpoint parsing
| query strings with bracket notation
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-15284
https://www.cve.org/CVERecord?id=CVE-2025-15284
[1] https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p
[2] https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
