core-3.9.2.tgz: 2 vulnerabilities (highest severity is: 7.5) #1781
Description
Vulnerable Library - core-3.9.2.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/qs/package.json
Found in HEAD commit: a2d6c62928d2d24f80ca24f3ad0e546aa38b49b7
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (core version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-15284 |  High |
7.5 | qs-6.13.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-13465 | High |
7.2 | lodash-4.17.21.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-15284
Vulnerable Library - qs-6.13.0.tgz
Library home page: https://registry.npmjs.org/qs/-/qs-6.13.0.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/qs/package.json
Dependency Hierarchy:
- core-3.9.2.tgz (Root Library)
- webpack-dev-server-5.2.2.tgz
- express-4.21.2.tgz
- ❌ qs-6.13.0.tgz (Vulnerable Library)
- express-4.21.2.tgz
- webpack-dev-server-5.2.2.tgz
Found in HEAD commit: a2d6c62928d2d24f80ca24f3ad0e546aa38b49b7
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:
- arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
- Use bracket notation: a[]=value (not indexed a[0]=value)
ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
Attack scenario: - Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
- Application parses with qs.parse(query, { arrayLimit: 100 })
- qs ignores limit, parses all 100,000 elements into array
- Server memory exhausted → application crashes or becomes unresponsive
- Service unavailable for all users
Real-world impact: - Single malicious request can crash server
- No authentication required
- Easy to automate and scale
- Affects any endpoint parsing query strings with bracket notation
Publish Date: 2025-12-29
URL: CVE-2025-15284
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-6rw7-vpxm-498p
Release Date: 2025-12-29
Fix Resolution: qs - 6.14.1,qs - 6.14.1,https://github.com/ljharb/qs.git - v6.14.1
Step up your Open Source Security Game with Mend here
CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /docs/package.json
Path to vulnerable library: /docs/node_modules/lodash/package.json
Dependency Hierarchy:
- core-3.9.2.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: a2d6c62928d2d24f80ca24f3ad0e546aa38b49b7
Found in base branch: main
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here