CVE-2026-2391: Death by a Thousand Commas: Deep Dive into CVE-2026-2391
Source: Dev.to
Death by a Thousand Commas: Deep Dive into CVE-2026-2391
Vulnerability ID: CVE-2026-2391
CVSS Score: 6.3
Published: 2026-02-12
A logic flaw in the popular Node.js qs library allows attackers to bypass array limits when the comma parsing option is enabled. By sending a crafted query string containing thousands of commas, an unauthenticated attacker can force the application to allocate massive arrays, leading to memory exhaustion and a Denial of Service (DoS). This vulnerability highlights the dangers of “return early” patterns in input‑validation logic.
TL;DR
The qs library (used by Express.js) ignores arrayLimit when parsing comma‑separated values (?a=1,2,3…). Attackers can trigger OOM crashes by sending massive comma strings. Fixed in 6.14.2.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE‑20 / CWE‑770
- CVSS v4.0: 6.3 (Medium)
- Attack Vector: Network (Remote)
- Privileges Required: None
- Impact: Denial of Service (Memory Exhaustion)
- EPSS Score: 0.00049 (~0.05%)
Affected Systems
- Node.js applications using
qs - Express.js applications (if using
qswith custom configuration) - APIs parsing CSV‑style query parameters
Affected versions: qs ≤ 6.14.1
Fixed in: qs 6.14.2
Code Analysis
Commit: f6a7abf – Fix ensures comma: true respects arrayLimit.
diff --git a/lib/parse.js b/lib/parse.js
index ...
--- a/lib/parse.js
+++ b/lib/parse.js
@@ -40,7 +40,11 @@
- return val.split(',');
+ var values = val.split(',');
+ if (values.length > options.arrayLimit) {
+ // enforcement logic
+ }
+ return values;Exploit Details
- Internal Research: PoC demonstrating memory spike with comma‑separated values
Mitigation Strategies
- Upgrade
qslibrary to version 6.14.2 or later. - Disable the
commaparsing option if it is not strictly required. - Implement WAF rules to limit query‑string length.
- Add strict input validation on parameter length before parsing.
Remediation Steps
-
Check the current version:
npm list qs -
Update the package:
npm install qs@latest -
Audit code for usages of
qs.parse(str, { comma: true }). -
Verify the fix by running the PoC script against the updated version.