Security: Update qs dependency to 6.14.1 to fix CVE-2025-15284 (High Severity DoS vulnerability) #239
Description
Description
The package @constructor-io/constructorio-node@4.12.2 currently depends on qs@6.9.7, which contains a high-severity vulnerability (CVE-2025-15284) that can lead to Denial of Service through memory exhaustion.
Vulnerability Details
- CVE ID: CVE-2025-15284
- Snyk ID: SNYK-JS-QS-14724253
- CVSS Score: 8.7 (High)
- CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
- Fixed in:
qs@6.14.1
Impact
The vulnerability allows attackers to exploit improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can:
- Send a large number of bracket notation parameters (e.g.,
a[]=1&a[]=2&...) in a single HTTP request - Exhaust server memory
- Cause application unavailability
- Execute the attack without authentication
- Affect all users of the service
References
Current State
"dependencies": {
"qs": "6.9.7"
}
Requested Change
Please update the qs dependency to version 6.14.1 or later:
"dependencies": {
"qs": "^6.14.1"
}
Testing
The fix in qs@6.14.1 properly enforces the arrayLimit option for bracket notation. Please verify:
- All existing functionality continues to work as expected
- Query string parsing behaves identically for normal use cases
- Memory consumption is properly limited when parsing bracket notation arrays
Workaround
Until this is fixed, users can apply an npm override in their package.json:
"overrides": {
"qs": "6.14.1"
}
However, an official fix from the package maintainers is preferred to ensure compatibility and proper testing.
Additional Context
This issue was discovered through Snyk security scanning and is blocking our ability to maintain a secure application. We would appreciate an update to address this high-severity vulnerability.
Thank you for your attention to this security issue!