Description
The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): >= 6.7.0, <= 6.14.1
- Patched version(s): 6.14.2
References
Related Issues
- qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - CVE-2025-15284
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- protobuf.js: Denial of service through unbounded protobuf recursion - CVE-2026-44289
- Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions - CVE-2026-34404
You might also like:
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on February 12, 2026