{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 1113161,
          "path": ".>@modelcontextprotocol/sdk>express>qs",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "qs",
      "target": "6.15.0",
      "depth": 4
    },
    {
      "action": "update",
      "resolves": [
        {
          "id": 1113214,
          "path": ".>@modelcontextprotocol/sdk>ajv",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "ajv",
      "target": "8.18.0",
      "depth": 3
    },
    {
      "action": "review",
      "module": "ajv",
      "resolves": [
        {
          "id": 1113214,
          "path": ".>eslint>ajv",
          "dev": false,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ],
  "advisories": {
    "1113161": {
      "findings": [
        {
          "version": "6.14.1",
          "paths": [
            ".>@modelcontextprotocol/sdk>express>qs"
          ]
        }
      ],
      "found_by": null,
      "deleted": null,
      "references": "- https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883\n- https://nvd.nist.gov/vuln/detail/CVE-2026-2391\n- https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482\n- https://github.com/advisories/GHSA-w7fw-mjwx-w883",
      "created": "2026-02-12T17:04:39.000Z",
      "id": 1113161,
      "npm_advisory_id": null,
      "overview": "### Summary\nThe `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).\n\n### Details\nWhen the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a', 'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.\n\n**Vulnerable code** (lib/parse.js: lines ~40-50):\n```js\nif (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {\n    return val.split(',');\n}\n\nif (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {\n    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');\n}\n\nreturn val;\n```\nThe `split(',')` returns the array immediately, skipping the subsequent limit check. Downstream merging via `utils.combine` does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`), allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`, which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).\n\n### PoC\n**Test 1 - Basic bypass:**\n```\nnpm install qs\n```\n\n```js\nconst qs = require('qs');\n\nconst payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5)\nconst options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };\n\ntry {\n  const result = qs.parse(payload, options);\n  console.log(result.a.length);  // Outputs: 26 (bypass successful)\n} catch (e) {\n  console.log('Limit enforced:', e.message);  // Not thrown\n}\n```\n**Configuration:**\n- `comma: true`\n- `arrayLimit: 5`\n- `throwOnLimitExceeded: true`\n\nExpected: Throws \"Array limit exceeded\" error.\nActual: Parses successfully, creating an array of length 26.\n\n\n### Impact\nDenial of Service (DoS) via memory exhaustion.\n\n### Suggested Fix\nMove the `arrayLimit` check before the comma split in `parseArrayValue`, and enforce it on the resulting array length. Use `currentArrayLength` (already calculated upstream) for consistency with bracket notation fixes.\n\n**Current code** (lib/parse.js: lines ~40-50):\n```js\nif (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {\n    return val.split(',');\n}\n\nif (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {\n    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');\n}\n\nreturn val;\n```\n\n**Fixed code:**\n```js\nif (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {\n    const splitArray = val.split(',');\n    if (splitArray.length > options.arrayLimit - currentArrayLength) {  // Check against remaining limit\n        if (options.throwOnLimitExceeded) {\n            throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');\n        } else {\n            // Optionally convert to object or truncate, per README\n            return splitArray.slice(0, options.arrayLimit - currentArrayLength);\n        }\n    }\n    return splitArray;\n}\n\nif (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {\n    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');\n}\n\nreturn val;\n```\nThis aligns behavior with indexed and bracket notations, reuses `currentArrayLength`, and respects `throwOnLimitExceeded`. Update README to note the consistent enforcement.",
      "reported_by": null,
      "title": "qs's arrayLimit bypass in comma parsing allows denial of service",
      "metadata": null,
      "cves": [
        "CVE-2026-2391"
      ],
      "access": "public",
      "severity": "low",
      "module_name": "qs",
      "vulnerable_versions": ">=6.7.0 <=6.14.1",
      "github_advisory_id": "GHSA-w7fw-mjwx-w883",
      "recommendation": "Upgrade to version 6.14.2 or later",
      "patched_versions": ">=6.14.2",
      "updated": "2026-02-12T20:08:00.000Z",
      "cvss": {
        "score": 3.7,
        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
      },
      "cwe": [
        "CWE-20"
      ],
      "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883"
    },
    "1113214": {
      "findings": [
        {
          "version": "8.17.1",
          "paths": [
            ".>@modelcontextprotocol/sdk>ajv"
          ]
        },
        {
          "version": "6.12.6",
          "paths": [
            ".>eslint>ajv"
          ]
        }
      ],
      "found_by": null,
      "deleted": null,
      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2025-69873\n- https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md\n- https://github.com/ajv-validator/ajv/pull/2586\n- https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5\n- https://github.com/ajv-validator/ajv/releases/tag/v8.18.0\n- https://github.com/advisories/GHSA-2g4f-4pwh-qvx6",
      "created": "2026-02-11T21:30:39.000Z",
      "id": 1113214,
      "npm_advisory_id": null,
      "overview": "ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\\\"^(a|a)*$\\\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation.",
      "reported_by": null,
      "title": "ajv has ReDoS when using `$data` option",
      "metadata": null,
      "cves": [
        "CVE-2025-69873"
      ],
      "access": "public",
      "severity": "moderate",
      "module_name": "ajv",
      "vulnerable_versions": "<8.18.0",
      "github_advisory_id": "GHSA-2g4f-4pwh-qvx6",
      "recommendation": "Upgrade to version 8.18.0 or later",
      "patched_versions": ">=8.18.0",
      "updated": "2026-02-17T18:13:07.000Z",
      "cvss": {
        "score": 0,
        "vectorString": null
      },
      "cwe": [
        "CWE-400"
      ],
      "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 1,
      "moderate": 2,
      "high": 0,
      "critical": 0
    },
    "dependencies": 546,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 546
  }
}
