qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
- Severity:
- High
Description
The arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
Recommendation
Update the qs package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.14.1
- Patched version(s): 6.14.1
References
Related Issues
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
- qs vulnerable to Prototype Pollution - CVE-2022-24999
- PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367
- Tags:
- npm
- qs
Anything's wrong? Let us know Last updated on December 30, 2025