qs vulnerability

The qs library’s quietly dangerous prototype‑pollution bug — tracked as CVE‑2022‑24999 — is a textbook example of how a tiny parser behavior can cascade into a network‑accessible denial‑of‑service for Node.js applications. The flaw allowed an attacker to use a specially crafted query string (for...

A newly assigned CVE, CVE-2025-15284, exposes a subtle but impactful logic hole in the popular Node.js query-string parser package qs that allows attackers to bypass configured array-size limits and trigger denial-of-service (DoS) through memory exhaustion when requests use bracket notation...