CVE-2025-15284
Denial of Service (DoS) vulnerability in qs (npm)

Denial of Service (DoS) No known exploit Fixable By Resolved Security

What is CVE-2025-15284 About?

This Denial of Service (DoS) vulnerability in the 'qs' library, specifically when using `arrayLimit` with bracket notation (`a[]=1`), allows attackers to bypass array size limits. This can lead to memory exhaustion and application crashes. The vulnerability is easy to exploit by crafting malicious query strings.

Affected Software

qs <6.14.1

Technical Details

The vulnerability exists in the qs library (versions where arrayLimit does not apply to bracket notation) and is a Denial of Service via memory exhaustion. The arrayLimit option is designed to protect against excessively large arrays parsed from query strings. However, the implementation incorrectly applies this limit only to indexed notation (e.g., a[0]=1&a[1]=2) and completely bypasses it for bracket notation (e.g., a[]=1&a[]=2). Specifically, the code path handling bracket notation at lib/parse.js:159-162 uses utils.combine([], leaf) without checking options.arrayLimit, while the indexed notation path at lib/parse.js:175 explicitly checks index <= options.arrayLimit. An attacker can send an HTTP request with a query string containing a very large number of elements using bracket notation (e.g., filters[]=x&filters[]=x&...). The qs.parse() function will then parse all these elements into an array, ignoring the configured arrayLimit, consuming excessive memory on the server. This leads to memory exhaustion, causing the application to crash or become unresponsive, resulting in a denial of service.

What is the Impact of CVE-2025-15284?

Successful exploitation may allow attackers to cause a denial-of-service via memory exhaustion, leading to application crashes or unresponsiveness.

What is the Exploitability of CVE-2025-15284?

Exploitation of this Denial of Service vulnerability is of low complexity. It requires remote access if the vulnerable qs.parse() function is used on user-controlled input, such as query strings in HTTP requests. No authentication is required, as the attack typically targets a public-facing API endpoint. The main prerequisite is that the application uses the qs library and attempts to use the arrayLimit option for DoS protection, but processes query parameters with bracket notation. The attacker simply needs to construct a query string with an extremely large number of elements using the a[]= format. There are no special conditions or constraints beyond the input format, making it easy to automate. Risk factors include any web application or API that uses qs.parse() with a arrayLimit option on potentially untrusted input.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-15284?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch modifies how the query parsing logic handles exceeding the configured arrayLimit: instead of continuing to build an array (which allowed attackers to create very large arrays and trigger a denial of service), it switches to using plain objects with numeric keys once the limit is reached, tracking "overflow" objects with a side channel to avoid further allocations and preserve values. This mitigates CVE-2025-15284 by preventing resource exhaustion attacks related to unbounded array growth in qs.parse(), enforcing strict memory usage regardless of the number of submitted parameters.

Available Upgrade Options

  • qs
    • <6.14.1 → Upgrade to 6.14.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-15284?

Similar Vulnerabilities: CVE-2018-16469 , CVE-2020-28280 , CVE-2021-23382 , CVE-2021-3807 , CVE-2022-25911

All Rights reserved 2025
Privacy Policy