CVE-2026-2391
- EPSS 0.04%
- Veröffentlicht 12.02.2026 04:39:42
- Zuletzt bearbeitet 24.02.2026 20:13:51
### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar ...
CVE-2025-15284
- EPSS 0.06%
- Veröffentlicht 29.12.2025 22:56:45
- Zuletzt bearbeitet 26.02.2026 19:57:11
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This ...
CVE-2022-24999
- EPSS 1.54%
- Veröffentlicht 26.11.2022 22:15:10
- Zuletzt bearbeitet 29.04.2025 14:15:20
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attack...
CVE-2014-10064
- EPSS 0.56%
- Veröffentlicht 31.05.2018 20:29:00
- Zuletzt bearbeitet 21.11.2024 02:03:26
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a tem...
CVE-2017-1000048
- EPSS 0.53%
- Veröffentlicht 17.07.2017 13:18:17
- Zuletzt bearbeitet 20.04.2025 01:37:25
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.