CVE-2025-15284 qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

[cristianrgreco]

Hi,

We're getting high severity vulnerability reports due to a dependency of node-vault. Would it be possible to update the version of postman-request to pull in the patched version of qs? NPM audit force fix is suggesting to downgrade node-vault from 0.10 to 0.9 which isn't ideal.

# npm audit report

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix --force`
Will install node-vault@0.9.22, which is a breaking change
node_modules/postman-request/node_modules/qs
node_modules/qs
  postman-request  *
  Depends on vulnerable versions of qs
  node_modules/postman-request
    node-vault  0.9.22-canary.0 || >=0.9.23-canary.1
    Depends on vulnerable versions of postman-request
    node_modules/node-vault

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[jean-dusenne]

Hello,

we have the same problem/alert.

We also don't want to downgrade node-vault as recommended by the npm audit. 🤯

[fxalgrain]

The issue is on postman-request side.

postmanlabs/postman-request#110 must be merged and a postman-request should be released

[finesome]

Hi,

postmanlabs/postman-request#111 was merged instead of postmanlabs/postman-request#110, and postman-request was released with the version 2.88.1-postman.48