Description
The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): >= 6.7.0, <= 6.14.1
- Patched version(s): 6.14.2
References
Related Issues
- qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - CVE-2025-15284
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Marked allows Regular Expression Denial of Service (ReDoS) attacks - CVE-2018-25110
- jsPDF Bypass Regular Expression Denial of Service (ReDoS) - CVE-2025-29907
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on February 12, 2026