Your message dated Mon, 06 Apr 2026 10:35:22 +0000
with message-id <[email protected]>
and subject line Bug#1127940: fixed in node-qs 6.15.0+ds+~6.15.0-1
has caused the Debian Bug report #1127940,
regarding node-qs: CVE-2026-2391
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127940
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-qs
Version: 6.14.1+ds+~6.14.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-qs.
CVE-2026-2391[0]:
| ### Summary The `arrayLimit` option in qs does not enforce limits
| for comma-separated values when `comma: true` is enabled, allowing
| attackers to cause denial-of-service via memory exhaustion. This is
| a bypass of the array limit enforcement, similar to the bracket
| notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
| ### Details When the `comma` option is set to `true` (not the
| default, but configurable in applications), qs allows parsing comma-
| separated strings as arrays (e.g., `?param=a,b,c` becomes `['a',
| 'b', 'c']`). However, the limit check for `arrayLimit` (default: 20)
| and the optional throwOnLimitExceeded occur after the comma-handling
| logic in `parseArrayValue`, enabling a bypass. This permits creation
| of arbitrarily large arrays from a single parameter, leading to
| excessive memory allocation. **Vulnerable code** (lib/parse.js:
| lines ~40-50): ```js if (val && typeof val === 'string' &&
| options.comma && val.indexOf(',') > -1) { return val.split(',');
| } if (options.throwOnLimitExceeded && currentArrayLength >=
| options.arrayLimit) { throw new RangeError('Array limit
| exceeded. Only ' + options.arrayLimit + ' element' +
| (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); }
| return val; ``` The `split(',')` returns the array immediately,
| skipping the subsequent limit check. Downstream merging via
| `utils.combine` does not prevent allocation, even if it marks
| overflows for sparse arrays.This discrepancy allows attackers to
| send a single parameter with millions of commas (e.g.,
| `?param=,,,,,,,,...`), allocating massive arrays in memory without
| triggering limits. It bypasses the intent of `arrayLimit`, which is
| enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`)
| notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).
| ### PoC **Test 1 - Basic bypass:** ``` npm install qs ``` ```js
| const qs = require('qs'); const payload = 'a=' + ','.repeat(25);
| // 26 elements after split (bypasses arrayLimit: 5) const options =
| { comma: true, arrayLimit: 5, throwOnLimitExceeded: true }; try {
| const result = qs.parse(payload, options);
| console.log(result.a.length); // Outputs: 26 (bypass successful) }
| catch (e) { console.log('Limit enforced:', e.message); // Not
| thrown } ``` **Configuration:** - `comma: true` - `arrayLimit: 5` -
| `throwOnLimitExceeded: true` Expected: Throws "Array limit
| exceeded" error. Actual: Parses successfully, creating an array of
| length 26. ### Impact Denial of Service (DoS) via memory
| exhaustion.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2391
https://www.cve.org/CVERecord?id=CVE-2026-2391
[1] https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883
[2] https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-qs
Source-Version: 6.15.0+ds+~6.15.0-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-qs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-qs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Apr 2026 12:15:41 +0200
Source: node-qs
Architecture: source
Version: 6.15.0+ds+~6.15.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1127940
Changes:
node-qs (6.15.0+ds+~6.15.0-1) unstable; urgency=medium
.
[ Xavier Guimard ]
* Team upload
* Declare compliance with policy 4.7.4
* Drop "Priority: optional"
* New upstream release (Closes: #1127940, CVE-2026-2391)
Checksums-Sha1:
8fc6a64a60ec3121dd5d53191c24b8b3d42a8c2c 3006 node-qs_6.15.0+ds+~6.15.0-1.dsc
538fdc0f9cdef537de379eee0cf315da09a7a46a 2544
node-qs_6.15.0+ds+~6.15.0.orig-types-qs.tar.xz
8cfe9dfa11689ae5d5384d13114172e88d4a15a9 11089976
node-qs_6.15.0+ds+~6.15.0.orig.tar.xz
ca9172a977e0c657d6aae709aa8a206a71842a11 8772
node-qs_6.15.0+ds+~6.15.0-1.debian.tar.xz
Checksums-Sha256:
ccdf0dbcb6a2050d84395ee060a26af32af4b56ce016edd9e48d34c0766ec982 3006
node-qs_6.15.0+ds+~6.15.0-1.dsc
02803ef5c45d1ead4d1c694820df4ca23fff4d518525d4257cee2dc0b24935c0 2544
node-qs_6.15.0+ds+~6.15.0.orig-types-qs.tar.xz
03c4e8fbfeca7bb19c00fd8291d0124771dd0606a2d330bfa38cf1881a0f36f7 11089976
node-qs_6.15.0+ds+~6.15.0.orig.tar.xz
2989afc84861cfb01eeb5aca653fc28659614acccbb458ad973312cdee6b9eff 8772
node-qs_6.15.0+ds+~6.15.0-1.debian.tar.xz
Files:
2a63047f5603fc974542471471912aef 3006 javascript optional
node-qs_6.15.0+ds+~6.15.0-1.dsc
099b78a67c8e0af623ecadd51e8b110e 2544 javascript optional
node-qs_6.15.0+ds+~6.15.0.orig-types-qs.tar.xz
9ee780d579bda9a6d07e05532985712b 11089976 javascript optional
node-qs_6.15.0+ds+~6.15.0.orig.tar.xz
3be11d8b160b504d417aef5b54c131d6 8772 javascript optional
node-qs_6.15.0+ds+~6.15.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnTiHcACgkQ9tdMp8mZ
7ukmYhAAnoWjabbmnVvIbY/l6bHYEGn1eNE15mQIamFB6J52NC2A8vHrKYbEh84Y
L1MDEdYRDuahhqZWxkgG7cSQ0MzPX+Lq+kgBGXdntYqx+sreBZIVZgJbXJk8n/tF
cpAZnFAQ/1VBLI/2g9mKsIzL8pRfRP6be/MZMciTV99WrspNeBtAj/CmZPOr6w3G
6ZuqXFiZXyn1rqngJ7n+ZIShhyBOLUqRoa6yzOau7fTnBN2Y8Id0MgencsXXUEMN
sLVpmE+qrAwTfGM1LooPZwvLOsCRnVeJ6fAaPPXVHD9Jyo1EGzVXhMYDfZnyS+Rx
OH8zDcKZ4Zc+KxOF+qOLk1fGrIv278zwtZHhw45GlU3pkbRL8Lcgs0KIEfi4W78S
yKVJHcKTWYnxj0LJsOCFwZb/UzQkDW8JOmqXRDK9On2idNP4T+zOtNt2hpxzPU/M
eeJcrwZfMGU8YL644aQRBsWaaptM76HuO/022qCxxOLHIfDuCk2E+eR0O3Z2Q6+T
gaj7T9GEx8lAvdQo02HHgJ8Tt20lz4Hv6y2MNCcB6x3t6r/qGt/gsDx+diMQTr80
w2UUKlYebIVBYgTYnrkD1T6El2R2ePWtbOI13UEpFpg0rinoO0VEcjKyLPEaioTP
F9YWIZOcU4D9SfCwJsBy6CTP146NgrmGYw7hiMj2cnlSlsDIWXg=
=AWgw
-----END PGP SIGNATURE-----
pgp1zAhld4p0x.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
