UBUNTU-CVE-2025-15284

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-15284

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-15284

Upstream

CVE-2025-15284

Published

2025-12-29T23:15:00Z

Modified

2026-01-08T06:16:09.161168Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 - Basic bypass: npm install qs const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 - DoS demonstration: const qs = require('qs'); const attack = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation

References

Affected packages

Ubuntu:16.04:LTS

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@2.2.4-1?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "2.2.4-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"

Ubuntu:18.04:LTS

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@2.2.4-1ubuntu1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.4-1

2.2.4-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "2.2.4-1ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"

Ubuntu:22.04:LTS

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@6.10.3+ds+~6.9.7-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.9.4+ds-1

6.10.1+ds-1

6.10.2+ds+~6.9.7-1

6.10.3+ds+~6.9.7-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "6.10.3+ds+~6.9.7-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"

Ubuntu:24.04:LTS

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@6.11.0+ds+~6.9.7-4?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.11.0+ds+~6.9.7-3

6.11.0+ds+~6.9.7-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "6.11.0+ds+~6.9.7-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"

Ubuntu:25.04

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@6.13.0+ds+~6.9.16-1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.11.0+ds+~6.9.7-4

6.13.0+ds+~6.9.16-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "6.13.0+ds+~6.9.16-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"

Ubuntu:25.10

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@6.13.0+ds+~6.9.16-1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.13.0+ds+~6.9.16-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "6.13.0+ds+~6.9.16-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"

Ubuntu:Pro:14.04:LTS

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@0.6.5-1ubuntu0.1~esm1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.2-1

0.6.5-1

0.6.5-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "0.6.5-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"

Ubuntu:Pro:20.04:LTS

node-qs

Package

Name: node-qs
Purl: pkg:deb/ubuntu/node-qs@6.9.1+ds-1ubuntu0.1~esm1?arch=source&distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.5.2-1

6.9.0+ds-1

6.9.1+ds-1

6.9.1+ds-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-qs",
            "binary_version": "6.9.1+ds-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-15284.json"