CVE-2025-15284Improper Input Validation in Project QS

CWE-20Improper Input ValidationCWE-770Allocation of Resources Without Limits or ThrottlingCWE-179Incorrect Behavior Order: Early Validation15 documents10 sources
Severity
6.3MEDIUMNVD
EPSS
0.1%
top 80.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
QS Project QS
Timeline
PublishedDec 29
Latest updateFeb 12

Description

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays la

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Affected Packages2 packages

NVDqs_project/qs< 6.14.1
npmqs_project/qs< 6.14.1

Patches

Patch: github.com

🔴Vulnerability Details

5
GHSA
qs's arrayLimit bypass in comma parsing allows denial of service2026-02-12
GHSA
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion2025-12-30
OSV
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion2025-12-30
OSV
CVE-2025-15284: Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS2025-12-29
CVEList
arrayLimit bypass in bracket notation allows DoS via memory exhaustion2025-12-29

📋Vendor Advisories

3
Red Hat
qs: qs: Denial of Service via improper input validation in array parsing2025-12-29
Microsoft
arrayLimit bypass in bracket notation allows DoS via memory exhaustion2025-12-09
Debian
CVE-2025-15284: node-qs - Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.Th...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-15284 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

3
Bugzilla
CVE-2025-15284 python-torch: qs: Denial of Service via improper input validation in array parsing [epel-10]2025-12-31
Bugzilla
CVE-2025-15284 python-torch: qs: Denial of Service via improper input validation in array parsing [fedora-43]2025-12-31
Bugzilla
CVE-2025-15284 python-torch: qs: Denial of Service via improper input validation in array parsing [fedora-42]2025-12-31
CVE-2025-15284 — Improper Input Validation | cvebase