From d2e5945ccef2a7769277fef338b7a63f24fda15d Mon Sep 17 00:00:00 2001
From: Jonathan Fulton <jonathan.s.fulton@gmail.com>
Date: Sat, 31 Jan 2026 18:49:08 -0500
Subject: [PATCH] fix: prevent silent truncation of query parameters

Set parameterLimit to Infinity in the extended query parser to prevent
silent truncation of query parameters when exceeding the qs library's
default limit of 1000.

Previously, query strings with more than 1000 parameters would be
silently truncated, potentially causing data loss and hard-to-debug
issues. Now all parameters are parsed by default. Users who need a
limit for security can provide a custom query parser function.

Fixes #5878
---
 lib/utils.js      |  8 +++++++-
 test/req.query.js | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index 4f21e7ef1e3..10f78864a2d 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -259,6 +259,11 @@ function createETagGenerator (options) {
 /**
  * Parse an extended query string with qs.
  *
+ * Sets parameterLimit to Infinity to avoid silently truncating
+ * query parameters. The default qs limit of 1000 parameters
+ * would cause data loss without any warning. If users need a
+ * limit for security, they can provide a custom query parser.
+ *
  * @param {String} str
  * @return {Object}
  * @private
@@ -266,6 +271,7 @@ function createETagGenerator (options) {
 
 function parseExtendedQueryString(str) {
   return qs.parse(str, {
-    allowPrototypes: true
+    allowPrototypes: true,
+    parameterLimit: Infinity
   });
 }
diff --git a/test/req.query.js b/test/req.query.js
index c0d3c8376e9..0bce4916139 100644
--- a/test/req.query.js
+++ b/test/req.query.js
@@ -38,6 +38,28 @@ describe('req', function(){
         .get('/?user.name=tj')
         .expect(200, '{"user.name":"tj"}', done);
       });
+
+      it('should not truncate parameters over 1000', function (done) {
+        var app = createApp('extended');
+
+        // Create a query string with 1500 parameters
+        var params = [];
+        for (var i = 0; i < 1500; i++) {
+          params.push('a' + i + '=' + i);
+        }
+        var query = params.join('&');
+
+        request(app)
+        .get('/?' + query)
+        .expect(200)
+        .expect(function (res) {
+          var keys = Object.keys(res.body);
+          if (keys.length !== 1500) {
+            throw new Error('Expected 1500 parameters, got ' + keys.length);
+          }
+        })
+        .end(done);
+      });
     });
 
     describe('when "query parser" is simple', function () {