SCA: security update for qs (GHSA-w7fw-mjwx-w883)

medium Tenable Self-Hosted Container Security Plugin ID 437712

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma:
true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of
the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p
(CVE-2025-15284). ### Details When the `comma` option is set to `true` (not the default, but configurable
in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a',
'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded
occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of
arbitrarily large arrays from a single parameter, leading to excessive memory allocation. **Vulnerable
code** (lib/parse.js: lines ~40-50): ```js if (val && typeof val === 'string' && options.comma &&
val.indexOf(',') > -1) { return val.split(','); } if (options.throwOnLimitExceeded && currentArrayLength
>= options.arrayLimit) { throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + '
element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); } return val; ``` The
`split(',')` returns the array immediately, skipping the subsequent limit check. Downstream merging via
`utils.combine` does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy
allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`),
allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`,
which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations (the latter fixed in
v6.14.1 per GHSA-6rw7-vpxm-498p). ### PoC **Test 1 - Basic bypass:** ``` npm install qs ``` ```js const qs
= require('qs'); const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit:
5) const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true }; try { const result =
qs.parse(payload, options); console.log(result.a.length); // Outputs: 26 (bypass successful) } catch (e) {
console.log('Limit enforced:', e.message); // Not thrown } ``` **Configuration:** - `comma: true` -
`arrayLimit: 5` - `throwOnLimitExceeded: true` Expected: Throws "Array limit exceeded" error. Actual:
Parses successfully, creating an array of length 26. ### Impact Denial of Service (DoS) via memory
exhaustion. (CVE-2026-2391)

See Also

https://github.com/advisories/GHSA-w7fw-mjwx-w883

Plugin Details

Severity: Medium

ID: 437712

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/12/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-2391

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 2.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/12/2026

Vulnerability Publication Date: 2/12/2026

Reference Information

CVE: CVE-2026-2391

cwe: CWE-20