6.14.2
6.14.1
CVE-2025-15284 describes a Denial of Service (DoS) vulnerability within the qs Node.js package. This issue arises from inconsistent enforcement of array limits in bracket notation, potentially allowing attackers to overwhelm server resources. The vulnerability affects versions of qs prior to 6.14.1, but the default parameterLimit of 1000 provides some mitigation. A fix has been released in version 6.14.1.
The vulnerability lies in the qs package's handling of array parameters in URL query strings. Specifically, the arrayLimit option, intended to restrict the size of arrays parsed from query parameters, was not consistently applied to both indexed (a[0]=1) and bracket (a[]=1&a[]=2) notations. While the default parameterLimit of 1000 effectively limits the overall number of parameters, an attacker could theoretically craft a malicious query string exploiting this inconsistency to consume excessive server resources, leading to a denial of service. The impact is reduced by the default parameter limit, but applications relying on stricter array size controls are more vulnerable.
This CVE has a LOW CVSS score and is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available. The vulnerability's impact is mitigated by the default parameterLimit in the qs package, reducing the likelihood of active exploitation. The vulnerability was published on 2025-12-30.
Applications built with Node.js that utilize the qs package for parsing URL query strings are at risk. This includes web applications, APIs, and backend services that rely on qs for request processing. Specifically, applications that have explicitly disabled or modified the default parameterLimit are more vulnerable.
• nodejs / server:
npm list qsThis command will list the installed version of the qs package. Compare the version with the affected range (prior to 6.14.1).
• nodejs / server:
npm audit qs --audit-level=highThis command will check for known vulnerabilities in the qs package and suggest remediation steps.
• generic web:
Review application logs for unusually large or complex query strings, particularly those utilizing bracket notation for array parameters. Look for patterns that might indicate an attempt to exploit the inconsistent array limit handling.
disclosure
漏洞利用状态
EPSS
0.06% (19% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-15284 is to upgrade the qs package to version 6.14.1 or later. This version includes the corrected handling of array limits. If upgrading is not immediately feasible, consider implementing stricter parameter limits within your application code to prevent excessive query string sizes. Additionally, configure your web server or reverse proxy to enforce request size limits, further reducing the potential for resource exhaustion. No specific Sigma or YARA rules are readily available for this vulnerability.
将 qs 库更新到 6.14.1 或更高版本。 这将修复输入验证漏洞。 运行 `npm install qs@latest` 或 `yarn add qs@latest` 进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-15284 is a denial-of-service vulnerability in the qs Node.js package, arising from inconsistent array limit enforcement in URL query strings. Versions prior to 6.14.1 are affected.
You are affected if you are using a version of the qs Node.js package prior to 6.14.1. The default parameter limit provides some mitigation, but stricter array size controls are recommended.
Upgrade the qs package to version 6.14.1 or later. If upgrading is not possible, implement stricter parameter limits in your application code and configure web server request size limits.
There is no confirmed active exploitation of CVE-2025-15284 at this time. Public proof-of-concept exploits are not widely available.
Refer to the qs package's release notes and GitHub repository for the official advisory and details on the fix: [https://github.com/node-qs/qs](https://github.com/node-qs/qs)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。