DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2391: Death by a Thousand Commas: Deep Dive into CVE-2026-2391

#security #cve #cybersecurity

Death by a Thousand Commas: Deep Dive into CVE-2026-2391

Vulnerability ID: CVE-2026-2391
CVSS Score: 6.3
Published: 2026-02-12

A logic flaw in the popular Node.js qs library allows attackers to bypass array limits when the comma parsing option is enabled. By sending a crafted query string containing thousands of commas, an unauthenticated attacker can force the application to allocate massive arrays, leading to memory exhaustion and a Denial of Service (DoS). This vulnerability highlights the dangers of 'return early' patterns in input validation logic.

TL;DR

The qs library (used by Express.js) ignores arrayLimit when parsing comma-separated values (?a=1,2,3...). Attackers can trigger OOM crashes by sending massive comma strings. Fixed in 6.14.2.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-20 / CWE-770
  • CVSS v4.0: 6.3 (Medium)
  • Attack Vector: Network (Remote)
  • Privileges: None
  • Impact: Denial of Service (Memory Exhaustion)
  • EPSS Score: 0.00049 (~0.05%)

Affected Systems

  • Node.js applications using qs
  • Express.js applications (if using qs with custom configuration)
  • APIs parsing CSV-style query parameters
  • qs: <= 6.14.1 (Fixed in: 6.14.2)

Code Analysis

Commit: f6a7abf

Fix: ensure comma: true respects arrayLimit

diff --git a/lib/parse.js b/lib/parse.js
index ...
--- a/lib/parse.js
+++ b/lib/parse.js
@@ -40,7 +40,11 @@
-        return val.split(',');
+        var values = val.split(',');
+        if (values.length > options.arrayLimit) {
+            // enforcement logic
+        }
+        return values;
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade qs library to version 6.14.2+
  • Disable 'comma' parsing option if not strictly required
  • Implement WAF rules to limit query string length
  • Implement strict input validation on parameter length before parsing

Remediation Steps:

  1. Check current version: npm list qs
  2. Update package: npm install qs@latest
  3. Audit code for usages of qs.parse(str, { comma: true })
  4. Verify fix by running the PoC script against the new version

References

Read the full report for CVE-2026-2391 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)