qs Library Security Patch: CVE-2025-15284 Exposes Array Parsing Inconsistency

A critical security update has been issued for the widely used `qs` library, patching a vulnerability (CVE-2025-15284) that created an inconsistency in how the library enforces array size limits. The flaw resided in the `arrayLimit` option, which failed to apply its restrictions to bracket notation array parsing (`a[]=1&a[]=2`), while correctly limiting indexed notation (`a[0]=1`). This inconsistency could have allowed for unexpected behavior in applications relying on uniform parsing logic, potentially exposing them to edge-case risks.

The vulnerability was disclosed via a GitHub Security Advisory (GHSA-6rw7-vpxm-498p) and has been addressed in version 6.14.2 of the `qs` package. The patch ensures that the `arrayLimit` configuration now applies uniformly across all array notation formats, correcting the logic bug. It is important to note that the library's default `parameterLimit` of 1000 provided a mitigating factor against the worst-case Denial-of-Service (DoS) scenario originally theorized, limiting the practical impact under standard configurations.

This update underscores the persistent, low-level risks in foundational parsing libraries that power countless web applications and APIs. While the immediate threat is mitigated by defaults, the inconsistency highlights how subtle logic flaws can create security blind spots. Developers and security teams managing dependencies must prioritize this update to ensure parsing behavior is predictable and secure across all input formats, closing a potential vector for application instability or crafted payload exploitation.