CVE-2025-15284 is a vulnerability in the qs Node.js library, which is widely used for parsing URL query strings. The issue arises from inconsistent enforcement of the arrayLimit option, which is intended to restrict the maximum number of elements in parsed arrays. While the arrayLimit correctly limits arrays using indexed notation (e.g., a[0]=1&a[1]=2), it fails to enforce this limit for bracket notation arrays (e.g., a[]=1&a[]=2). This inconsistency allows an attacker to craft HTTP query strings with bracket notation arrays exceeding the configured arrayLimit, potentially causing excessive memory allocation and CPU usage during parsing. The vulnerable code path combines array elements without checking the arrayLimit, whereas the indexed notation path enforces the limit properly. Although the original advisory demonstrated a denial of service scenario with 10,000 elements, the default parameterLimit of 1000 parameters caps the total number of parsed parameters, effectively mitigating large-scale exploitation under default settings. The vulnerability affects qs versions prior to 6.14.1, which fixed the issue by applying arrayLimit checks uniformly. Exploitation requires no authentication or user interaction and can be triggered remotely by sending specially crafted HTTP requests with large bracket notation arrays. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L) indicates network attack vector, low complexity, partial attack type requiring no privileges or user interaction, with low impact on availability. No known exploits are currently in the wild.

For European organizations, the primary impact of this vulnerability is the potential for denial of service attacks against web applications or APIs that utilize vulnerable versions of the qs library for query string parsing. If parameterLimit is configured higher than the default or disabled, attackers can send crafted HTTP requests with large bracket notation arrays to exhaust server memory and CPU resources, leading to degraded performance or service outages. This can disrupt business operations, cause downtime, and potentially impact customer trust and regulatory compliance, especially under GDPR requirements for service availability. The vulnerability does not directly expose sensitive data or allow code execution, limiting confidentiality and integrity impacts. However, availability degradation can affect critical services, particularly for sectors relying heavily on web-based interfaces such as finance, healthcare, and government services. Organizations using custom configurations with high parameterLimit values or those unaware of the vulnerability risk increased exposure. The lack of authentication or user interaction requirements makes exploitation feasible by remote attackers scanning for vulnerable endpoints.

1. Upgrade the qs library to version 6.14.1 or later, where the arrayLimit enforcement bug is fixed. 2. Review and enforce strict parameterLimit settings, ideally retaining the default value of 1000 or lower, to cap the total number of parameters parsed and limit resource consumption. 3. Implement input validation and rate limiting at the web application firewall (WAF) or API gateway level to detect and block unusually large or malformed query strings with excessive array elements. 4. Monitor application logs for abnormal spikes in query string parameter counts or parsing errors indicative of attempted exploitation. 5. Conduct security testing and code audits to identify other potential input validation weaknesses in query string parsing or related components. 6. Educate development teams on secure configuration of third-party libraries and the risks of overriding default limits without proper safeguards. 7. Deploy resource usage monitoring and automated alerting to detect early signs of denial of service conditions. 8. Consider isolating critical services behind reverse proxies or load balancers that can enforce stricter request size limits and filtering.