Description

The package @constructor-io/[email protected] currently depends on [email protected], which contains a high-severity vulnerability (CVE-2025-15284) that can lead to Denial of Service through memory exhaustion.

Vulnerability Details

• CVE ID: CVE-2025-15284
• Snyk ID: SNYK-JS-QS-14724253
• CVSS Score: 8.7 (High)
• CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
• Fixed in: [email protected]

Impact

The vulnerability allows attackers to exploit improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can:

• Send a large number of bracket notation parameters (e.g., a[]=1&a[]=2&...) in a single HTTP request
• Exhaust server memory
• Cause application unavailability
• Execute the attack without authentication
• Affect all users of the service

References

• Snyk Advisory
• NVD Entry
• GitHub Security Advisory
• qs Package Release Notes

Current State

"dependencies": {
"qs": "6.9.7"
}

Requested Change

Please update the qs dependency to version 6.14.1 or later:

"dependencies": {
"qs": "^6.14.1"
}

Testing

The fix in [email protected] properly enforces the arrayLimit option for bracket notation. Please verify:

1. All existing functionality continues to work as expected
2. Query string parsing behaves identically for normal use cases
3. Memory consumption is properly limited when parsing bracket notation arrays

Workaround

Until this is fixed, users can apply an npm override in their package.json:

"overrides": {
"qs": "6.14.1"
}

However, an official fix from the package maintainers is preferred to ensure compatibility and proper testing.

Additional Context

This issue was discovered through Snyk security scanning and is blocking our ability to maintain a secure application. We would appreciate an update to address this high-severity vulnerability.

Thank you for your attention to this security issue!