The Limit Does Not Exist: Crashing Node.js via CVE-2025-15284

Amit Schendel

Senior Security Researcher

Jan 1, 2026·5 min read·48 visits

PoC Available

Executive Summary (TL;DR)

The `qs` library, used by Express and others to parse query strings, has a setting called `arrayLimit` to prevent memory exhaustion. Versions < 6.14.1 fail to apply this limit to bracket notation (`key[]=value`). Attackers can send a single request with thousands of keys to crash the server. Patch immediately to 6.14.1.

A logic flaw in the ubiquitous `qs` library allows attackers to bypass the `arrayLimit` security control using bracket notation. This enables unauthenticated Denial of Service (DoS) attacks against Node.js applications by exhausting server memory with massive arrays.

Attack Flow Diagram

Official Patches

qs (GitHub)Commit fixing the logic flaw in parse.js

Fix Analysis (1)

Technical Appendix

CVSS Score

7.5/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.10%

Top 100% most exploited

Affected Systems

Node.js applications using `express`NestJS applicationsKoa applications using `koa-qs`Any Node.js service using `qs < 6.14.1`

Affected Versions Detail

Product	Affected Versions	Fixed Version
qs ljharb	< 6.14.1	6.14.1

Attribute	Detail
CWE ID	CWE-20
Attack Vector	Network
CVSS	7.5 (High)
Impact	Denial of Service (DoS)
Exploit Status	PoC Available
Fixed Version	6.14.1

MITRE ATT&CK Mapping

T1499.004Endpoint Denial of Service: Application or System Exploitation

Impact

CWE-20

Improper Input Validation

Known Exploits & Detection

GitHub Security AdvisoryAdvisory containing PoC for arrayLimit bypass

Vulnerability Timeline

Patch committed to GitHub

2025-02-17

GitHub Security Advisory Published

2025-02-18