{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination", "urls": [ "https://certvde.com" ] } ], "aggregate_severity": { "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale", "text": "Low" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-GB", "notes": [ { "category": "summary", "text": "A vulnerability in the REST API of the JUMO device allows an attacker to trigger a denial‑of‑service (DoS) condition. Due to an incorrect implementation of the arrayLimit option in the Node.js qs module, limits for incoming request parameters are not properly enforced. As a result, an attacker can send specially crafted requests containing excessively large or deeply nested arrays, causing the web server to become unresponsive. This condition leads to a crash of the web server, followed by an automatic restart of the device.", "title": "Summary" }, { "category": "description", "text": "Web server crash and automatic device restart leads to temporary denial of service of all device functionality.", "title": "Impact" }, { "category": "description", "text": "Update the affected products to version 431.10.0.0.26 for variTRON 300, to version 388.10.0.0.26 for variTRON 500 and to version 446.10.0.0.26 for variTRON 500 touch. The release of this versions are expected to Q2 2026. \n", "title": "Remediation" }, { "category": "description", "text": "Limit access to the devices webserver (e.g. using a Firewall or apply rate limiting and DoS protection mechanisms at the API gateway). ", "title": "Mitigation" } ], "publisher": { "category": "vendor", "contact_details": "psirt@jumo.net", "name": "JUMO GmbH & Co. KG", "namespace": "https://www.jumo.group" }, "references": [ { "category": "external", "summary": "Jumo PSIRT", "url": "https://www.jumo.group/de/en/services/product-security" }, { "category": "external", "summary": "CERT@VDE Security Advisories for Jumo", "url": "https://certvde.com/de/advisories/vendor/jumo/" }, { "category": "self", "summary": "VDE-2026-009: JUMO: Multiple products affected by nodejs vulnerability - HTML", "url": "https://certvde.com/en/advisories/VDE-2026-009" }, { "category": "self", "summary": "VDE-2026-009: JUMO: Multiple products affected by nodejs vulnerability - CSAF", "url": "https://jumo.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-009.json" } ], "title": "JUMO: Multiple products affected by nodejs vulnerability", "tracking": { "aliases": [ "VDE-2026-009" ], "current_release_date": "2026-05-26T07:00:00.000Z", "generator": { "date": "2026-05-21T15:02:45.279Z", "engine": { "name": "Secvisogram", "version": "2.5.44" } }, "id": "VDE-2026-009", "initial_release_date": "2026-05-26T07:00:00.000Z", "revision_history": [ { "date": "2026-05-26T07:00:00.000Z", "number": "1.0.0", "summary": "Release version." } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "variTRON300", "product": { "name": "variTRON300", "product_id": "CSAFPID-11001" } }, { "category": "product_name", "name": " variTRON500", "product": { "name": "variTRON500", "product_id": "CSAFPID-11002" } }, { "category": "host_name", "name": "variTRON500 touch", "product": { "name": "variTRON500 touch", "product_id": "CSAFPID-11003" } } ], "category": "product_family", "name": "Hardware" }, { "branches": [ { "category": "product_version_range", "name": "vers:semver/<431.10.0.0.26", "product": { "name": "Jumo Firmware <431.10.0.0.26", "product_id": "CSAFPID-21001" } }, { "category": "product_version", "name": "431.10.0.0.26", "product": { "name": "Jumo Firmware 431.10.0.0.26", "product_id": "CSAFPID-22001" } }, { "category": "product_version", "name": "388.10.0.0.26", "product": { "name": "Jumo Firmware 388.10.0.0.26", "product_id": "CSAFPID-0001" } }, { "category": "product_version_range", "name": "vers:semver/<388.10.0.0.26", "product": { "name": "Jumo Firmware <388.10.0.0.26", "product_id": "CSAFPID-0002" } }, { "category": "product_version", "name": "446.10.0.0.26", "product": { "name": "Jumo Firmware 446.10.0.0.26", "product_id": "CSAFPID-0003" } }, { "category": "product_version_range", "name": "vers:semver/<446.10.0.0.26", "product": { "name": "Jumo Firmware <446.10.0.0.26", "product_id": "CSAFPID-0004" } } ], "category": "product_family", "name": "Firmware" } ], "category": "vendor", "name": "Jumo" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-0022", "CSAFPID-31002", "CSAFPID-31003" ], "summary": "Affected products." }, { "group_id": "CSAFGID-0002", "product_ids": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003" ], "summary": "Fixed products." } ], "relationships": [ { "category": "installed_on", "full_product_name": { "name": "Jumo Firmware <431.10.0.0.26 installed on variTRON300", "product_id": "CSAFPID-0022" }, "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Jumo Firmware <388.10.0.0.26 installed on variTRON500", "product_id": "CSAFPID-31002" }, "product_reference": "CSAFPID-0002", "relates_to_product_reference": "CSAFPID-11002" }, { "category": "installed_on", "full_product_name": { "name": "Jumo Firmware <446.10.0.0.26 installed on variTRON500 touch", "product_id": "CSAFPID-31003" }, "product_reference": "CSAFPID-0004", "relates_to_product_reference": "CSAFPID-11003" }, { "category": "installed_on", "full_product_name": { "name": "Jumo Firmware 431.10.0.0.26 installed on variTRON300", "product_id": "CSAFPID-32001" }, "product_reference": "CSAFPID-22001", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Jumo Firmware 388.10.0.0.26 installed on variTRON500", "product_id": "CSAFPID-32002" }, "product_reference": "CSAFPID-0001", "relates_to_product_reference": "CSAFPID-11002" }, { "category": "installed_on", "full_product_name": { "name": "Jumo Firmware 446.10.0.0.26 installed on variTRON500 touch", "product_id": "CSAFPID-32003" }, "product_reference": "CSAFPID-0003", "relates_to_product_reference": "CSAFPID-11003" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-15284", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly. Details The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoC const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Note on parameterLimit interaction: The original advisory's \"DoS demonstration\" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000. Impact Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.", "title": "CVE Description" } ], "product_status": { "fixed": [ "CSAFPID-32001", "CSAFPID-32002", "CSAFPID-32003" ], "known_affected": [ "CSAFPID-0022", "CSAFPID-31002", "CSAFPID-31003" ] }, "references": [ { "category": "external", "summary": "CVE: CVE-2025-15284", "url": "https://www.cve.org/CVERecord?id=CVE-2025-15284" }, { "summary": "CVSS v4.0 Score: 6.3 / Medium", "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" } ], "remediations": [ { "category": "vendor_fix", "details": "Update the affected products to version 431.10.0.0.26 for variTRON 300, to version 388.10.0.0.26 for variTRON 500 and to version 446.10.0.0.26 for variTRON 500 touch. The release of this versions are expected to Q2 2026. \n", "group_ids": [ "CSAFGID-0001" ] }, { "category": "mitigation", "details": "Limit access to the devices webserver (e.g. using a Firewall or apply rate limiting and DoS protection mechanisms at the API gateway). \n", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "environmentalScore": 3.7, "environmentalSeverity": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 3.7, "temporalSeverity": "LOW", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "CSAFPID-0022", "CSAFPID-31002", "CSAFPID-31003" ] } ], "title": "arrayLimit bypass in bracket notation allows DoS via memory exhaustion" } ] }