Vulnerabilities

CVE-2025-15284 - arrayLimit bypass in bracket notation allows DoS via memory exhaustion

2025-12-30 0 views admin
CVE-2025-15284 - arrayLimit bypass in bracket notation allows DoS via memory exhaustion

CVE ID : CVE-2025-15284 Published : Dec. 29, 2025, 11:15 p.m. | 55 minutes ago Description : Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <=<= options.arraylimit before creating arrays. poctest 1 - basic bypass: npm install qs const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arraylimit: 5 }); console.log(result.a.length); // output: 6 (should be max 5) test 2 - dos demonstration: const qs = require('qs'); const attack = 'a[]=' + array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arraylimit: 100 }); console.log(result.a.length); // output: 10000 (should be max 100) configuration: * arraylimit: 5 (test 1) or arraylimit: 100 (test 2) * use bracket notation: a[]=value (not indexed a[0]=value) impactdenial of service via memory exhaustion. affects applications using qs.parse() with user-controlled input and arraylimit for protection. attack scenario: * attacker sends http request: get /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times) * application parses with qs.parse(query, { arraylimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * server memory exhausted → application crashes or becomes unresponsive * service unavailable for all users real-world impact: * single malicious request can crash server * no authentication required * easy to automate and scale * affects any endpoint parsing query strings with bracket notation severity: 8.7 | high visit the link for more details, such as cvss details, affected products, timeline, and more...

CVE Details

Severity
HIGH
Published
Dec. 29, 2025
Impact: DoS

Source: Telegram CVE Monitor

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2025-15284high

More from Vulnerabilities

CVE-2025-15207 - Campcodes Supplier Management System view_products.php sql injection

CVE-2025-15207 - Campcodes Supplier Management System view_products.php sql injection

2025-12-30 0
CVE-2025-68499 - WordPress JetTabs plugin <= 2.2.12 - cross site scripting (xss) vulnerability

CVE-2025-68499 - WordPress JetTabs plugin <= 2.2.12 - cross site scripting (xss) vulnerability

2025-12-30 0
CVE-2025-68498 - WordPress JetTabs plugin <= 2.2.12 - broken access control vulnerability

CVE-2025-68498 - WordPress JetTabs plugin <= 2.2.12 - broken access control vulnerability

2025-12-30 0
CVE-2025-15208 - code-projects Refugee Food Management System editrefugee.php sql injection

CVE-2025-15208 - code-projects Refugee Food Management System editrefugee.php sql injection

2025-12-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views