qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

Severity:: Medium

Description

The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.

Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described.

Recommendation

Update the qs package to the latest compatible version. Followings are version details:

Affected version(s): < 6.14.1
Patched version(s): 6.14.1

References

GHSA-6rw7-vpxm-498p
CVE-2025-15284
CWE-20
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS - CVE-2026-2581
Nuxt allows DOS via cache poisoning with payload rendering response - CVE-2025-27415
qs's arrayLimit bypass in comma parsing allows denial of service - CVE-2026-2391

Tags:: npm; qs

Anything's wrong? Let us know Last updated on March 02, 2026