Skip to content

Fix: Allow unlimited query parameters in extended parser#7116

Closed
nmurrell07 wants to merge 1 commit intoexpressjs:masterfrom
nmurrell07:fix-query-param-limit-2
Closed

Fix: Allow unlimited query parameters in extended parser#7116
nmurrell07 wants to merge 1 commit intoexpressjs:masterfrom
nmurrell07:fix-query-param-limit-2

Conversation

@nmurrell07
Copy link

@nmurrell07 nmurrell07 commented Mar 21, 2026

The qs library has a default parameterLimit of 1000, which silently truncates query parameters beyond that limit. This can cause data loss when handling requests with many query parameters.

Fix by setting parameterLimit: Infinity in the parseExtendedQueryString function, allowing all query parameters to be parsed.

Fixes: #5878

@nmurrell07
Fix: Allow unlimited query parameters in extended parser
9c8ce1d 
The qs library has a default parameterLimit of 1000, which silently
truncates query parameters beyond that limit. This can cause data loss
when handling requests with many query parameters.

Fix by setting parameterLimit: Infinity in the parseExtendedQueryString
function, allowing all query parameters to be parsed.

Fixes: expressjs#5878
krzysdz
krzysdz suggested changes Mar 21, 2026
View reviewed changes
Copy link
Contributor

@krzysdz krzysdz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing the parameter limit potentially enables DOS attacks. I don't think this is a good idea.

By the way, querystring also has its own limit and quietly drops parameters that exceed it.

nmurrell07 pushed a commit to nmurrell07/express that referenced this pull request Mar 21, 2026
Fix query parameter truncation with configurable limit
a59c339 
- Change default query parser from 'simple' to 'extended'
- Add 'query parser limit' setting with default of 10000
- Pass limit to query parser at parse time (not compile time)
- Fixes issue expressjs#5878 - query params truncated at 1000+ params
- Supersedes PR expressjs#7116 which used Infinity (security concern)
nmurrell07 pushed a commit to nmurrell07/express that referenced this pull request Mar 21, 2026
Fix query parameter truncation with configurable limit
3d78900 
- Change default query parser from 'simple' to 'extended'
- Add 'query parser limit' setting with default of 10000
- Pass limit to query parser at parse time (not compile time)
- Fixes issue expressjs#5878 - query params truncated at 1000+ params
- Supersedes PR expressjs#7116 which used Infinity (security concern)
@nmurrell07 nmurrell07 mentioned this pull request Mar 21, 2026
Open
@krzysdz
Copy link
Contributor

krzysdz commented Mar 21, 2026

Superseded by #7117

@krzysdz krzysdz closed this Mar 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@krzysdz krzysdz krzysdz requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Query Param Silently Remove param query value if it is over 1000

2 participants

@nmurrell07 @krzysdz