express-4.21.2.tgz: 1 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - express-4.21.2.tgz

Path to dependency file: /blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiRide/node_modules/qs/package.json,/blockchain_integration/pi_network/node_modules/qs/package.json,/server/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/body-parser/node_modules/qs/package.json,/pi-nexus-api/node_modules/qs/package.json,/ai-financial-advisor/node_modules/qs/package.json,/projects/oracle-nexus/node_modules/qs/package.json,/projects/PiWalletBot/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/server/node_modules/qs/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/qs/package.json,/blockchain_integration/pi_network/onramp-pi/node_modules/qs/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/qs/package.json,/blockchain_integration/pi_network/smartship/node_modules/qs/package.json,/projects/Nexarion/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/body-parser/node_modules/qs/package.json

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (express version)	Remediation Possible**
CVE-2025-15284	High	7.5	qs-6.13.0.tgz	Transitive	4.22.0	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-15284

Vulnerable Library - qs-6.13.0.tgz

Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz

Path to dependency file: /blockchain_integration/pi_network/PiRide/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiRide/node_modules/qs/package.json,/blockchain_integration/pi_network/node_modules/qs/package.json,/server/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/body-parser/node_modules/qs/package.json,/pi-nexus-api/node_modules/qs/package.json,/ai-financial-advisor/node_modules/qs/package.json,/projects/oracle-nexus/node_modules/qs/package.json,/projects/PiWalletBot/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/express/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/server/node_modules/qs/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/qs/package.json,/blockchain_integration/pi_network/onramp-pi/node_modules/qs/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/qs/package.json,/blockchain_integration/pi_network/smartship/node_modules/qs/package.json,/projects/Nexarion/node_modules/qs/package.json,/blockchain_integration/pi_network/contracts/node_modules/qs/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/qs/package.json,/blockchain_integration/pi_network/PiSure/client/node_modules/body-parser/node_modules/qs/package.json

Dependency Hierarchy:

• express-4.21.2.tgz (Root Library)
  • ❌ qs-6.13.0.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:

• arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
• Use bracket notation: a[]=value (not indexed a[0]=value)
  ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
  Attack scenario:
• Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
• Application parses with qs.parse(query, { arrayLimit: 100 })
• qs ignores limit, parses all 100,000 elements into array
• Server memory exhausted → application crashes or becomes unresponsive
• Service unavailable for all users
  Real-world impact:
• Single malicious request can crash server
• No authentication required
• Easy to automate and scale
• Affects any endpoint parsing query strings with bracket notation

Publish Date: 2025-12-29

URL: CVE-2025-15284

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6rw7-vpxm-498p

Release Date: 2025-12-29

Fix Resolution (qs): 6.14.1

Direct dependency fix Resolution (express): 4.22.0

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[MAhdi3169]

Kosasih on fire 🔥

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.