CVE-2025-15284 is an Improper Input Validation vulnerability classified under CWE-20, affecting the qs library, a widely used Node.js module for parsing URL query strings. The vulnerability arises from the improper enforcement of the arrayLimit option, which is designed to limit the number of array elements parsed to prevent denial-of-service attacks via memory exhaustion. Specifically, the arrayLimit check is applied only to indexed notation arrays (e.g., a[0]=1&a[1]=2) but is completely bypassed for bracket notation arrays (e.g., a[]=1&a[]=2). The vulnerable code path uses utils.combine([], leaf) without validating the array size against arrayLimit, allowing attackers to submit HTTP requests with very large arrays using bracket notation. This results in the qs parser allocating memory for all elements, ignoring the configured limit, which can exhaust server memory resources. Proof-of-concept tests demonstrate that even when arrayLimit is set to 5 or 100, the parser accepts and processes thousands of elements, leading to potential server crashes or unresponsiveness. The vulnerability affects all qs versions prior to 6.14.1, and exploitation requires no authentication or user interaction, making it trivial to automate and scale. The impact is a denial-of-service condition caused by memory exhaustion during query string parsing in web applications that use qs.parse() with user-supplied input. This can result in service unavailability and disruption of business operations.

For European organizations, this vulnerability poses a significant risk to the availability of web applications and APIs that utilize the vulnerable qs library versions. Since qs is a popular Node.js module, many web services, including e-commerce platforms, government portals, and enterprise applications, may be affected. An attacker can send a single malicious HTTP request with a large number of bracket notation parameters to exhaust server memory, causing crashes or severe performance degradation. This can lead to denial of service, impacting customer experience, operational continuity, and potentially violating service-level agreements (SLAs). The lack of authentication requirement and ease of exploitation increase the threat level, enabling attackers to launch large-scale automated attacks. Additionally, critical infrastructure and public-facing services in Europe relying on Node.js stacks may be targeted, amplifying the impact. The vulnerability could also be leveraged as part of multi-vector attacks, compounding risks for organizations with limited incident response capabilities.

European organizations should immediately upgrade the qs library to version 6.14.1 or later, where the vulnerability is patched. For applications where immediate upgrade is not feasible, implement strict input validation and sanitization on query string parameters before passing them to qs.parse(), specifically limiting the size and structure of arrays in bracket notation. Employ web application firewalls (WAFs) with custom rules to detect and block HTTP requests containing excessive repeated bracket notation parameters. Monitor application logs and network traffic for unusual spikes in query string array parameters indicative of exploitation attempts. Consider rate limiting and IP reputation filtering to reduce the risk of automated attacks. Developers should avoid relying solely on arrayLimit for DoS protection and implement additional resource usage monitoring and graceful degradation mechanisms. Conduct thorough testing of query string parsing behavior post-mitigation to ensure no bypasses remain. Finally, maintain an up-to-date inventory of Node.js dependencies and integrate vulnerability scanning into CI/CD pipelines to prevent future exposure.