qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

**Describe the bug**
The package `qs`'s arrayLimit bypass in its bracket notation allows DoS via memory exhaustion: https://github.com/advisories/GHSA-6rw7-vpxm-498p.

**To Reproduce**
Run the following:

`pnpm audit`

<img width="643" height="267" alt="Image" src="https://github.com/user-attachments/assets/5b8ea4b4-7070-44c4-82ab-008fd1604607" />

The issue is the version of `supertest` you are using. If you update [`supertest`](https://github.com/forwardemail/supertest/tree/master) to the latest version (v7.2.2), it contains the updated version of [`superagent`](https://github.com/forwardemail/superagent), which has the patched version of [`qs`](https://github.com/forwardemail/superagent/blob/3ef367619fbb2a8d07082238892ae12dafe4b0b0/package.json#L29).

**Expected behavior**
Vulnerable package is updated to patched version and vulnerability no longer exists.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion #1368

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion #1368

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions