[GHSA-6rw7-vpxm-498p] qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

[dreadwitdastacc-IFA]

Updates

• CVSS v3

Comments
if (root === '[]' && options.parseArrays) {
// Use currentArrayLength already calculated at line 147-151
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}

// If limit exceeded and not throwing, convert to object (consistent with indexed notation behavior)
if (currentArrayLength >= options.arrayLimit) {
    obj = options.plainObjects ? { __proto__: null } : {};
    obj[currentArrayLength] = leaf;
} else {
    obj = options.allowEmptyArrays && (leaf === '' || (options.strictNullHandling && leaf === null))
        ? []
        : utils.combine([], leaf);
}

}

[github]

Hi there @ljharb! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

This PR updates a GitHub Security Advisory (GHSA-6rw7-vpxm-498p) for a denial-of-service vulnerability in the qs library by removing the CVSS v3 severity score while retaining the CVSS v4 score.

Key changes:

• Removed CVSS v3.1 severity scoring from the advisory
• Updated the modification timestamp to reflect the change

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dreadwitdastacc-IFA]

bracket notation

[dreadwitdastacc-IFA]

invailid\