{"id":"UBUNTU-CVE-2026-2391","details":"### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284). ### Details When the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a', 'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation. **Vulnerable code** (lib/parse.js: lines ~40-50): ```js if (val && typeof val === 'string' && options.comma && val.indexOf(',') \u003e -1) {     return val.split(','); } if (options.throwOnLimitExceeded && currentArrayLength \u003e= options.arrayLimit) {     throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); } return val; ``` The `split(',')` returns the array immediately, skipping the subsequent limit check. Downstream merging via `utils.combine` does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`), allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`, which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p). ### PoC **Test 1 - Basic bypass:** ``` npm install qs ``` ```js const qs = require('qs'); const payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5) const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true }; try {   const result = qs.parse(payload, options);   console.log(result.a.length);  // Outputs: 26 (bypass successful) } catch (e) {   console.log('Limit enforced:', e.message);  // Not thrown } ``` **Configuration:** - `comma: true` - `arrayLimit: 5` - `throwOnLimitExceeded: true` Expected: Throws \"Array limit exceeded\" error. Actual: Parses successfully, creating an array of length 26. ### Impact Denial of Service (DoS) via memory exhaustion.","modified":"2026-03-19T10:38:39.417904Z","published":"2026-02-12T05:17:00Z","upstream":["CVE-2026-2391"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-2391"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-2391"},{"type":"REPORT","url":"https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883"},{"type":"REPORT","url":"https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482"}],"affected":[{"package":{"name":"node-qs","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/node-qs@0.6.5-1ubuntu0.1~esm1?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.4.2-1","0.6.5-1","0.6.5-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.6.5-1ubuntu0.1~esm1","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2391.json"}},{"package":{"name":"node-qs","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/node-qs@2.2.4-1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.2.4-1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.2.4-1","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2391.json"}},{"package":{"name":"node-qs","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/node-qs@2.2.4-1ubuntu1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.2.4-1","2.2.4-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.2.4-1ubuntu1","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2391.json"}},{"package":{"name":"node-qs","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/node-qs@6.9.1+ds-1ubuntu0.1~esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.5.2-1","6.9.0+ds-1","6.9.1+ds-1","6.9.1+ds-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.9.1+ds-1ubuntu0.1~esm1","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2391.json"}},{"package":{"name":"node-qs","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/node-qs@6.10.3+ds+~6.9.7-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.9.4+ds-1","6.10.1+ds-1","6.10.2+ds+~6.9.7-1","6.10.3+ds+~6.9.7-1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.10.3+ds+~6.9.7-1","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2391.json"}},{"package":{"name":"node-qs","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/node-qs@6.11.0+ds+~6.9.7-4?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.11.0+ds+~6.9.7-3","6.11.0+ds+~6.9.7-4"],"ecosystem_specific":{"binaries":[{"binary_version":"6.11.0+ds+~6.9.7-4","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2391.json"}},{"package":{"name":"node-qs","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/node-qs@6.13.0+ds+~6.9.16-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.13.0+ds+~6.9.16-1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.13.0+ds+~6.9.16-1","binary_name":"node-qs"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-2391.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"type":"Ubuntu","score":"medium"}]}