Skip to content

fix: req.query returns object instead of array for >20 repeated values#7193

Closed
IshitaSingh0822 wants to merge 4 commits intoexpressjs:masterfrom
IshitaSingh0822:master
Closed

fix: req.query returns object instead of array for >20 repeated values#7193
IshitaSingh0822 wants to merge 4 commits intoexpressjs:masterfrom
IshitaSingh0822:master

Conversation

@IshitaSingh0822
Copy link
Copy Markdown
Contributor

@IshitaSingh0822 IshitaSingh0822 commented Apr 19, 2026

Fixes #7147
qs defaults arrayLimit to 20. When a repeated query param has more
than 20 values, qs returns a plain object with numeric string keys
instead of an array, silently breaking Array.isArray(), .forEach(),
.map() etc.

Fix: set arrayLimit: Infinity in parseExtendedQueryString(). The
existing parameterLimit (default 1000) already caps total query
string size, so there is no DoS risk.

@krzysdz
Copy link
Copy Markdown
Contributor

krzysdz commented Apr 19, 2026

The existing parameterLimit (default 1000) already caps total query string size, so there is no DoS risk.

parameterLimit restricts the number of parameters, but the original meaning (even before qs 6.14.1) of arrayLimit has been protection from sparse array creation such as ?arr[99999]=x. Removing this limit, allows creation of huge sparse arrays with just a single parameter.

There's already another PR that tries to solve this problem - #7151. I'll close this as a duplicate.

Please include only relevant changes in PRs. GitHub shows commits that were a part of #7037 as new changes here.

@krzysdz krzysdz closed this Apr 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

duplicate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

req.query will produce object instead of array when it contains more than 20 values in v4.22.X

2 participants

@IshitaSingh0822 @krzysdz