update to `qs@^6.14.1`

[gabrieel1007]

• Failure issue:

• GHSA-6rw7-vpxm-498p

• A few days ago, the following security flaw was discovered in lib qs. However, no issue or PR was found regarding this flaw or a possible solution.
• Projects that use Express are vulnerable and without solutions for the flaw.
• Please let us know when you can. Thank you!

[Ben-CA]

Was just coming here to say the same thing - please update the qs dependency in Express.

[remyoudemans]

@gabrieel1007 and @Ben-CA, running npm audit fix should fix it as long as you're on Express v4.22.1 or v5.1.0 or above. (It did for me.)

Express version 4.22.1 specifies the required version of qs as ~6.14.0, which allows 6.14.1 (the patched version) so running npm audit fix will resolve it.

Similarly, in express 5.2.1, it's specified as ^6.14.0 which also allows the patched version.

[Ben-CA]

@remyoudemans Good point, but should still be updated by Express so it gets updated by default - e.g. when people check npm outdated.

[gabrieel1007]

@remyoudemans
Thank you for sharing this solution with us.
We hope that express will make this corrected version os lib qs the default.

[UlisesGascon]

In this case, the reported vulnerability in qs (CVE-2025-15284) is already addressed by default in Express. Current Express releases depend on patched versions of qs:

• Express 4 specifies "qs": "~6.14.0", which resolves to >=6.14.0 <6.15.0 and therefore pulls in the patched 6.14.1 release by default. Reference:

  express/package.json

  Line 56 in f62378e

  "qs": "~6.14.0",

• Express 5 specifies "qs": "^6.14.0", which also pulls in the patched versions automatically. Reference:

  express/package.json

  Line 55 in c2fb76e

  "qs": "^6.14.0",

As a result, users installing Express without overriding dependency resolutions already receive a version of qs that includes the fix, and the reported issue does not represent an unpatched vulnerability in Express itself.

[rafipiccolo]

qs 6.14.1 release introduced a breaking change. It's discussed here and aparently issue is closed so nothing will be done.
ljharb/qs#537

Is there a recommended way to keep the default behavior of getting arrays instead of objects when posting arrays ?

for exemple : this used to return arrays, but with new version it returns objects :

app.use(express.urlencoded({ limit: '50mb', extended: false }));

<form method="post">
<select multiple name="test">
<option value="">placeholder</option>
<option value="1">a</option>
<option value="2">b</option>
</select>
</form>

router.post('/test', async (req, res, next) => {
    return res.send({body: req.body});
});

qs 6.14.0 shows : {"body":{"test":["1","2"]}}
qs 6.14.1 shows : {"body":{"test":{"0":"1","1":"2"}}}

[kroleg]

Issue is closed but discussion is ongoing. Imo it's not a vulnerability at all (see ljharb/qs#537 (comment)) and i am trying to convince maintainer to revert this breaking change. So far can't even convince him that it's breaking change :-/

[rafipiccolo]

I guess i'm gonna use this from now on : app.use(express.urlencoded({ limit: '50mb', extended: true}));
since it returns real arrays as before.
So the breaking will be less breaking...
i'll still need to check the naming of the array in the htlm since name="test[]" will allways return arrays while name="test" will return arrays only when multiple values.

[UlisesGascon]

So far can't even convince him that it's breaking change :-/

I personally agree with the maintainers point of view expressed here (ref).

This will be solved tomorrow as we plan to publish body-parser@2.2.2 (ref) with a specific compatibility patch with qs@6.14.1. So Express@5.x will work as expected out-of-the-box 👍

Is there a recommended way to keep the default behavior of getting arrays instead of objects when posting arrays ?

In the meantime one possible workaround is to use overrides in the package.json (docs) like:

{
  "overrides": {
    "express": {
      "qs": "6.14.0"
    },
    "body-parser": {
      "qs": "6.14.0"
    },
  }
}

But then you will get the CVE alert (as you installing a known vulnerable package) 🤔