Description

The package [email protected] currently depends on [email protected], which contains a high-severity vulnerability (CVE-2025-15284) that can lead to Denial of Service through memory exhaustion.

Vulnerability Details

• CVE ID: CVE-2025-15284
• Snyk ID: SNYK-JS-QS-14724253
• CVSS Score: 8.7 (High)
• CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
• Fixed in: [email protected]

Impact

The vulnerability allows attackers to exploit improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can:

• Send a large number of bracket notation parameters (e.g., a[]=1&a[]=2&...) in a single HTTP request
• Exhaust server memory
• Cause application unavailability
• Execute the attack without authentication

References

• Snyk Advisory
• NVD Entry
• GitHub Security Advisory

Current State

In [email protected]:
"dependencies": {
"qs": "^6.11.1"
}
Lockfile shows: [email protected] (still vulnerable)

Question

I noticed that my package-lock.json shows [email protected] with [email protected]. Does version 3.22.0 or later include the fix for this vulnerability (using [email protected])?

If so, I can simply upgrade. If not, could you please update the qs dependency to ^6.14.1 in an upcoming release?

Environment

• Package: [email protected]
• Vulnerable dependency: [email protected]
• Package manager: npm

Additional Information

This vulnerability is actively being scanned by security tools (Snyk) and is blocking security compliance for applications using Contentstack. Guidance on upgrading or a patch release would be greatly appreciated.

Thank you for your attention to this security issue!