Skip to content

chore(deps): pin dependency qs to 6.6.3 [security]#340

Open
svc-secops wants to merge 1 commit intomasterfrom
renovate/npm-qs-vulnerability
Open

chore(deps): pin dependency qs to 6.6.3 [security]#340
svc-secops wants to merge 1 commit intomasterfrom
renovate/npm-qs-vulnerability

Conversation

@svc-secops
Copy link
Contributor

@svc-secops svc-secops commented Jan 2, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
qs devDependencies pin 6.6.x -> 6.6.3

GitHub Vulnerability Alerts

CVE-2025-15284

Summary

The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.

Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=value consumes one parameter slot. The severity has been reduced accordingly.

Details

The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoC

const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.

Impact

Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

@svc-secops svc-secops requested a review from fbartho January 2, 2026 12:41
@svc-secops svc-secops changed the title chore(deps): pin dependency qs to 6.6.1 [security] chore(deps): pin dependency qs to 6.6.3 [security] Feb 13, 2026
@svc-secops svc-secops force-pushed the renovate/npm-qs-vulnerability branch from 1d3fbd5 to 64062a2 Compare February 13, 2026 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fbartho fbartho Awaiting requested review from fbartho

At least 1 approving review is required to merge this pull request.

Assignees

@fbartho fbartho

Labels

dependencies tooling vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@svc-secops @fbartho