CVE-2026-2391: qs Library DOS Vulnerability

CVE-2026-2391 Overview

CVE-2026-2391 is an input validation vulnerability in the qs query string parsing library that allows attackers to bypass the arrayLimit protection mechanism when the comma: true option is enabled. This bypass enables the creation of arbitrarily large arrays from a single HTTP parameter, leading to memory exhaustion and denial-of-service conditions.

The vulnerability exists because the limit check for arrayLimit (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in the parseArrayValue function. When comma parsing is enabled, the split(',') operation returns the array immediately, completely skipping the subsequent limit enforcement checks.

Critical Impact

Attackers can send a single parameter containing millions of commas (e.g., ?param=,,,,,,,,...), causing the application to allocate massive arrays in memory without triggering any limits, leading to denial-of-service via memory exhaustion.

Affected Products

• qs (query string parsing library) - versions prior to the security patch
• Node.js applications using qs with comma: true configuration
• Web frameworks and applications that depend on qs for query string parsing

Discovery Timeline

• February 12, 2026 - CVE-2026-2391 published to NVD
• February 12, 2026 - Last updated in NVD database

Technical Details for CVE-2026-2391

Vulnerability Analysis

This vulnerability represents a bypass of the array limit enforcement mechanism in the qs library, similar to the bracket notation bypass addressed in CVE-2025-15284. When the comma option is set to true (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., ?param=a,b,c becomes ['a', 'b', 'c']).

The core issue lies in the execution order within lib/parse.js. The vulnerable code processes comma-separated values before enforcing the arrayLimit constraint, creating a logic flaw that can be exploited for denial-of-service attacks.

The vulnerability is classified under CWE-20 (Improper Input Validation), as the library fails to properly validate and limit input when processing comma-separated array values.

Root Cause

The root cause is an improper ordering of security checks in the parsing logic. The split(',') operation executes first and returns the resulting array immediately, completely bypassing the subsequent arrayLimit and throwOnLimitExceeded checks that were intended to protect against oversized arrays.

The vulnerable code in lib/parse.js (lines ~40-50) demonstrates this issue:

• First, the code checks if the value is a string containing commas
• It immediately returns the split array without any size validation
• The limit enforcement code that follows is never executed for comma-parsed values

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests with query parameters containing extensive comma-separated values. A payload as simple as ?param= followed by millions of commas will cause the server to allocate a massive array in memory.

// Vulnerable code pattern in lib/parse.js (lines ~40-50)
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
    return val.split(',');  // Returns immediately, bypassing limit check
}

if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
    throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}

return val;

Source: CVE-2026-2391 Description

Detection Methods for CVE-2026-2391

Indicators of Compromise

• Sudden spikes in server memory usage correlating with incoming HTTP requests
• Application crashes or out-of-memory errors in Node.js processes handling query string parsing
• HTTP access logs showing unusually long query strings with repeated comma characters
• Process monitoring alerts indicating memory exhaustion in web application workers

Detection Strategies

• Monitor for HTTP requests with abnormally large query string parameters containing extensive comma sequences
• Implement application-level logging to track qs parsing operations and flag oversized array creations
• Deploy web application firewall (WAF) rules to detect and block requests with excessive comma-separated values in parameters
• Use runtime application self-protection (RASP) solutions to monitor memory allocation patterns during request processing

Monitoring Recommendations

• Configure alerting thresholds for memory utilization spikes in Node.js application servers
• Implement request size limits at the load balancer or reverse proxy level
• Enable detailed logging for query string parsing operations to identify potential exploitation attempts
• Monitor application error logs for RangeError exceptions related to array limits, which may indicate attempted attacks

How to Mitigate CVE-2026-2391

Immediate Actions Required

• Update the qs library to the patched version that includes the security fix
• Review application configurations to identify instances where comma: true is enabled
• Implement request validation middleware to limit query string parameter lengths
• Consider disabling the comma option if it is not a required feature for your application

Patch Information

A security patch has been released that enforces arrayLimit on comma-parsed values. The fix adds proper limit checking immediately after comma-separated values are split into arrays, ensuring consistent enforcement regardless of the parsing method used.

For detailed patch information, refer to the GitHub Commit Details and the GitHub Security Advisory.

Workarounds

• Disable the comma: true option if comma-separated array parsing is not required for your application
• Implement middleware to validate and reject requests with excessively long query string parameters before they reach the qs parser
• Configure web server or reverse proxy limits on query string length to prevent oversized requests from reaching the application
• Use application-level rate limiting to reduce the impact of potential DoS attempts

// Security patch in lib/parse.js - enforces arrayLimit on comma-parsed values
            val = isArray(val) ? [val] : val;
        }

+        if (options.comma && isArray(val) && val.length > options.arrayLimit) {
+            if (options.throwOnLimitExceeded) {
+                throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
+            }
+            val = utils.combine([], val, options.arrayLimit, options.plainObjects);
+        }

        if (key !== null) {
            var existing = has.call(obj, key);
            if (existing && options.duplicates === 'combine') {

Source: GitHub Commit