[GHSA-6rw7-vpxm-498p] qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion#6613
Conversation
|
Hi there @ljharb! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
rizwan-saddal/advisory-improvement-6613
There was a problem hiding this comment.
Pull request overview
This PR updates the security advisory for CVE-2025-15284, which addresses a DoS vulnerability in the qs library where the arrayLimit option fails to enforce limits for bracket notation. The change removes CVSS v3 scoring while retaining CVSS v4 scoring, and updates the modification timestamp.
- Removes CVSS v3 severity scoring
- Updates the modification timestamp to reflect the change
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @rizwan-saddal, Could you clarify the change you are suggesting? |
|
This PR updates the security advisory for GHSA-6rw7-vpxm-498p, which addresses a DoS vulnerability in the qs library where the arrayLimit option fails to enforce limits for bracket notation. The change removes CVSS v3 scoring while retaining CVSS v4 scoring, and updates the modification timestamp. Removes CVSS v3 severity scoring |
|
right, but why? as i said above, i included both scores intentionally. They're both meant to be there. |
|
Thanks for notifying, closing the pull request |
Updates
Comments
qs patch to avoid any vulnerability