CVE-2025-15284 Siemens CVE debrief

Who should care

Siemens SIDIS Prime operators covered by the advisory, and any teams running applications that parse untrusted query strings with qs.parse() and rely on arrayLimit to constrain resource use.

Technical summary

The supplied advisory text states that qs versions below 6.14.1 are affected. The flaw is in parse handling for bracket notation such as a[]=1&a[]=2: the source describes a code path that combines values without checking options.arrayLimit, while indexed notation a[0]=1&a[1]=2 does enforce the limit. As a result, an attacker can send many bracket-notation parameters and force large in-memory arrays, creating a network-reachable HTTP denial of service. The source corpus assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and scores it 7.5 HIGH.

Defensive priority

High. This is unauthenticated, network-reachable availability impact with a plausible single-request memory-exhaustion path.

Recommended defensive actions

• Apply the vendor remediation listed in the advisory: update Siemens SIDIS Prime to V4.0.800 or later.
• If your application uses qs directly, confirm the deployed qs version is 6.14.1 or later.
• Review any code that parses attacker-controlled query strings and does not assume arrayLimit alone is sufficient for protection.
• Add request-size, parameter-count, and upstream rate-limiting controls to reduce DoS exposure.
• Monitor service memory and crash/restart telemetry for abnormal spikes while patching is rolled out.

Evidence notes

The source corpus contains a notable context mismatch: the advisory metadata is for Siemens SIDIS Prime, but the technical description is about qs parse behavior and the arrayLimit bypass. The description is also truncated in the supplied notes. All claims in this debrief are limited to the provided CISA/Siemens-linked corpus and official reference links.

Official resources