6.14.2
6.14.1
CVE-2025-15284 describes a Denial of Service (DoS) vulnerability within the qs Node.js package. This issue arises from inconsistent enforcement of array limits in bracket notation, potentially allowing attackers to overwhelm server resources. The vulnerability affects versions of qs prior to 6.14.1, but the default parameterLimit of 1000 provides some mitigation. A fix has been released in version 6.14.1.
The vulnerability lies in the qs package's handling of array parameters in URL query strings. Specifically, the arrayLimit option, intended to restrict the size of arrays parsed from query parameters, was not consistently applied to both indexed (a[0]=1) and bracket (a[]=1&a[]=2) notations. While the default parameterLimit of 1000 effectively limits the overall number of parameters, an attacker could theoretically craft a malicious query string exploiting this inconsistency to consume excessive server resources, leading to a denial of service. The impact is reduced by the default parameter limit, but applications relying on stricter array size controls are more vulnerable.
This CVE has a LOW CVSS score and is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available. The vulnerability's impact is mitigated by the default parameterLimit in the qs package, reducing the likelihood of active exploitation. The vulnerability was published on 2025-12-30.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15284 is to upgrade the qs package to version 6.14.1 or later. This version includes the corrected handling of array limits. If upgrading is not immediately feasible, consider implementing stricter parameter limits within your application code to prevent excessive query string sizes. Additionally, configure your web server or reverse proxy to enforce request size limits, further reducing the potential for resource exhaustion. No specific Sigma or YARA rules are readily available for this vulnerability.
Update the qs library to version 6.14.1 or higher. This will fix the incorrect input validation vulnerability. Run `npm install qs@latest` or `yarn add qs@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15284 is a denial-of-service vulnerability in the qs Node.js package, arising from inconsistent array limit enforcement in URL query strings. Versions prior to 6.14.1 are affected.
You are affected if you are using a version of the qs Node.js package prior to 6.14.1. The default parameter limit provides some mitigation, but stricter array size controls are recommended.
Upgrade the qs package to version 6.14.1 or later. If upgrading is not possible, implement stricter parameter limits in your application code and configure web server request size limits.
There is no confirmed active exploitation of CVE-2025-15284 at this time. Public proof-of-concept exploits are not widely available.
Refer to the qs package's release notes and GitHub repository for the official advisory and details on the fix: [https://github.com/node-qs/qs](https://github.com/node-qs/qs)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.