プラットフォーム
nodejs
コンポーネント
qs
修正版
6.14.2
6.14.1
CVE-2025-15284 describes a Denial of Service (DoS) vulnerability within the qs Node.js package. This issue arises from inconsistent enforcement of array limits in bracket notation, potentially allowing attackers to overwhelm server resources. The vulnerability affects versions of qs prior to 6.14.1, but the default parameterLimit of 1000 provides some mitigation. A fix has been released in version 6.14.1.
The vulnerability lies in the qs package's handling of array parameters in URL query strings. Specifically, the arrayLimit option, intended to restrict the size of arrays parsed from query parameters, was not consistently applied to both indexed (a[0]=1) and bracket (a[]=1&a[]=2) notations. While the default parameterLimit of 1000 effectively limits the overall number of parameters, an attacker could theoretically craft a malicious query string exploiting this inconsistency to consume excessive server resources, leading to a denial of service. The impact is reduced by the default parameter limit, but applications relying on stricter array size controls are more vulnerable.
This CVE has a LOW CVSS score and is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available. The vulnerability's impact is mitigated by the default parameterLimit in the qs package, reducing the likelihood of active exploitation. The vulnerability was published on 2025-12-30.
Applications built with Node.js that utilize the qs package for parsing URL query strings are at risk. This includes web applications, APIs, and backend services that rely on qs for request processing. Specifically, applications that have explicitly disabled or modified the default parameterLimit are more vulnerable.
• nodejs / server:
npm list qsThis command will list the installed version of the qs package. Compare the version with the affected range (prior to 6.14.1).
• nodejs / server:
npm audit qs --audit-level=highThis command will check for known vulnerabilities in the qs package and suggest remediation steps.
• generic web:
Review application logs for unusually large or complex query strings, particularly those utilizing bracket notation for array parameters. Look for patterns that might indicate an attempt to exploit the inconsistent array limit handling.
disclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-15284 is to upgrade the qs package to version 6.14.1 or later. This version includes the corrected handling of array limits. If upgrading is not immediately feasible, consider implementing stricter parameter limits within your application code to prevent excessive query string sizes. Additionally, configure your web server or reverse proxy to enforce request size limits, further reducing the potential for resource exhaustion. No specific Sigma or YARA rules are readily available for this vulnerability.
Actualice la biblioteca qs a la versión 6.14.1 o superior. Esto solucionará la vulnerabilidad de validación de entrada incorrecta. Ejecute `npm install qs@latest` o `yarn add qs@latest` para actualizar.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-15284 is a denial-of-service vulnerability in the qs Node.js package, arising from inconsistent array limit enforcement in URL query strings. Versions prior to 6.14.1 are affected.
You are affected if you are using a version of the qs Node.js package prior to 6.14.1. The default parameter limit provides some mitigation, but stricter array size controls are recommended.
Upgrade the qs package to version 6.14.1 or later. If upgrading is not possible, implement stricter parameter limits in your application code and configure web server request size limits.
There is no confirmed active exploitation of CVE-2025-15284 at this time. Public proof-of-concept exploits are not widely available.
Refer to the qs package's release notes and GitHub repository for the official advisory and details on the fix: [https://github.com/node-qs/qs](https://github.com/node-qs/qs)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。