CVE-2025-15284: qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

December 30, 2025 (updated March 2, 2026)

The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.

Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=value consumes one parameter slot. The severity has been reduced accordingly.

References

github.com/advisories/GHSA-6rw7-vpxm-498p
github.com/ljharb/qs
github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9
github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p
nvd.nist.gov/vuln/detail/CVE-2025-15284

Code Behaviors & Features

Detect and mitigate CVE-2025-15284 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →