CVE-2026-54892 (GCVE-0-2026-54892)
Vulnerability from cvelistv5 – Published: 2026-06-23 12:31 – Updated: 2026-06-23 18:21
VLAI
Title
Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Summary
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.
With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.
This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.
This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-plug | plug |
Affected:
1.15.0 , < 1.15.5
(semver)
Affected: 1.16.0 , < 1.16.4 (semver) Affected: 1.17.0 , < 1.17.2 (semver) Affected: 1.18.0 , < 1.18.3 (semver) Affected: 1.19.0 , < 1.19.3 (semver) cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
|
| elixir-plug | plug |
Affected:
712b875d3442c765d8d37e546ffd5ad9f8afcc55 , < *
(git)
cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54892",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T13:03:58.893269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T13:04:27.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Query\u0027"
],
"packageName": "plug",
"packageURL": "pkg:hex/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/query.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "1.15.5",
"status": "affected",
"version": "1.15.0",
"versionType": "semver"
},
{
"lessThan": "1.16.4",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
},
{
"lessThan": "1.17.2",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
},
{
"lessThan": "1.18.3",
"status": "affected",
"version": "1.18.0",
"versionType": "semver"
},
{
"lessThan": "1.19.3",
"status": "affected",
"version": "1.19.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Query\u0027"
],
"packageName": "elixir-plug/plug",
"packageURL": "pkg:github/elixir-plug/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/query.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"changes": [
{
"at": "c317d08fdcf96e17931f7419275b2b8c4bf3e951",
"status": "unaffected"
},
{
"at": "9c5d37c440eaae92869eed7c014c47266744fadb",
"status": "unaffected"
},
{
"at": "d737eb236f17e31a36290e39f9ef3cd86a1343bd",
"status": "unaffected"
},
{
"at": "d4e5568392a4b29e545b91e12e87d6098f976145",
"status": "unaffected"
},
{
"at": "a61124aa625d819a218fb07f90afbac8aa85eb0e",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "712b875d3442c765d8d37e546ffd5ad9f8afcc55",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.5",
"versionStartIncluding": "1.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.4",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.2",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.19.3",
"versionStartIncluding": "1.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Braidon Whatley"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e (and \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e) parse query strings and \u003ctt\u003eapplication/x-www-form-urlencoded\u003c/tt\u003e request bodies. When a key contains many bracketed segments such as \u003ctt\u003ea[a][a][a]=1\u003c/tt\u003e, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\u003c/p\u003e\u003cp\u003eWith the default \u003ctt\u003ePlug.Parsers.URLENCODED\u003c/tt\u003e body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/conn/query.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.split_keys/6\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.insert_keys/3\u003c/tt\u003e, and \u003ctt\u003ePlug.Conn.Query.finalize_pointer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\u003c/p\u003e"
}
],
"value": "Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:21:14.232Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54892.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54892"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Plug: quadratic-time decoding of nested query/body parameters enables denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54892",
"datePublished": "2026-06-23T12:31:12.629Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-23T18:21:14.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54892\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T13:03:58.893269Z\"}}}], \"references\": [{\"url\": \"https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T13:04:18.295Z\"}}], \"cna\": {\"title\": \"Plug: quadratic-time decoding of nested query/body parameters enables denial of service\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Braidon Whatley\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Jos\\u00e9 Valim\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Jonatan M\\u00e4nnchen / EEF\"}], \"impacts\": [{\"capecId\": \"CAPEC-229\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-229 Serialized Data Parameter Blowup\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/elixir-plug/plug\", \"vendor\": \"elixir-plug\", \"modules\": [\"\u0027Elixir.Plug.Conn.Query\u0027\"], \"product\": \"plug\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.15.0\", \"lessThan\": \"1.15.5\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.16.0\", \"lessThan\": \"1.16.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.17.0\", \"lessThan\": \"1.17.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.18.0\", \"lessThan\": \"1.18.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.19.0\", \"lessThan\": \"1.19.3\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:hex/plug\", \"packageName\": \"plug\", \"programFiles\": [\"lib/plug/conn/query.ex\"], \"collectionURL\": \"https://repo.hex.pm\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:decode/4\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2\"}]}, {\"cpes\": [\"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/elixir-plug/plug\", \"vendor\": \"elixir-plug\", \"modules\": [\"\u0027Elixir.Plug.Conn.Query\u0027\"], \"product\": \"plug\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"c317d08fdcf96e17931f7419275b2b8c4bf3e951\", \"status\": \"unaffected\"}, {\"at\": \"9c5d37c440eaae92869eed7c014c47266744fadb\", \"status\": \"unaffected\"}, {\"at\": \"d737eb236f17e31a36290e39f9ef3cd86a1343bd\", \"status\": \"unaffected\"}, {\"at\": \"d4e5568392a4b29e545b91e12e87d6098f976145\", \"status\": \"unaffected\"}, {\"at\": \"a61124aa625d819a218fb07f90afbac8aa85eb0e\", \"status\": \"unaffected\"}], \"version\": \"712b875d3442c765d8d37e546ffd5ad9f8afcc55\", \"lessThan\": \"*\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/elixir-plug/plug\", \"packageName\": \"elixir-plug/plug\", \"programFiles\": [\"lib/plug/conn/query.ex\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:decode/4\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3\"}, {\"name\": \"\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2\"}]}], \"references\": [{\"url\": \"https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf\", \"tags\": [\"vendor-advisory\", \"related\"]}, {\"url\": \"https://cna.erlef.org/cves/CVE-2026-54892.html\", \"tags\": [\"related\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-54892\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\\n\\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\\n\\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\\n\\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eInefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e (and \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e) parse query strings and \u003ctt\u003eapplication/x-www-form-urlencoded\u003c/tt\u003e request bodies. When a key contains many bracketed segments such as \u003ctt\u003ea[a][a][a]=1\u003c/tt\u003e, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\u003c/p\u003e\u003cp\u003eWith the default \u003ctt\u003ePlug.Parsers.URLENCODED\u003c/tt\u003e body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/conn/query.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.split_keys/6\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.insert_keys/3\u003c/tt\u003e, and \u003ctt\u003ePlug.Conn.Query.finalize_pointer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407 Inefficient Algorithmic Complexity\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.15.5\", \"versionStartIncluding\": \"1.15.0\"}, {\"criteria\": \"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.16.4\", \"versionStartIncluding\": \"1.16.0\"}, {\"criteria\": \"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.17.2\", \"versionStartIncluding\": \"1.17.0\"}, {\"criteria\": \"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.18.3\", \"versionStartIncluding\": \"1.18.0\"}, {\"criteria\": \"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.19.3\", \"versionStartIncluding\": \"1.19.0\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-06-23T18:21:14.232Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-54892\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-23T18:21:14.232Z\", \"dateReserved\": \"2026-06-16T10:47:13.915Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-06-23T12:31:12.629Z\", \"assignerShortName\": \"EEF\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…