FKIE_CVE-2026-54892

Vulnerability from fkie_nvd - Published: 2026-06-23 13:16 - Updated: 2026-06-23 15:44
Severity
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
References
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://cna.erlef.org/cves/CVE-2026-54892.html
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
6b3ad84c-e1a6-4bf7-a703-f496b71e49dbhttps://osv.dev/vulnerability/EEF-CVE-2026-54892
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
Impacted products
Vendor Product Version
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Plug.Conn.Query\u0027"
          ],
          "packageName": "plug",
          "packageURL": "pkg:hex/plug",
          "product": "plug",
          "programFiles": [
            "lib/plug/conn/query.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
            }
          ],
          "repo": "https://github.com/elixir-plug/plug",
          "vendor": "elixir-plug",
          "versions": [
            {
              "lessThan": "1.15.5",
              "status": "affected",
              "version": "1.15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.16.4",
              "status": "affected",
              "version": "1.16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.17.2",
              "status": "affected",
              "version": "1.17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.18.3",
              "status": "affected",
              "version": "1.18.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.19.3",
              "status": "affected",
              "version": "1.19.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Plug.Conn.Query\u0027"
          ],
          "packageName": "elixir-plug/plug",
          "packageURL": "pkg:github/elixir-plug/plug",
          "product": "plug",
          "programFiles": [
            "lib/plug/conn/query.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
            },
            {
              "name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
            }
          ],
          "repo": "https://github.com/elixir-plug/plug",
          "vendor": "elixir-plug",
          "versions": [
            {
              "changes": [
                {
                  "at": "c317d08fdcf96e17931f7419275b2b8c4bf3e951",
                  "status": "unaffected"
                },
                {
                  "at": "9c5d37c440eaae92869eed7c014c47266744fadb",
                  "status": "unaffected"
                },
                {
                  "at": "d737eb236f17e31a36290e39f9ef3cd86a1343bd",
                  "status": "unaffected"
                },
                {
                  "at": "d4e5568392a4b29e545b91e12e87d6098f976145",
                  "status": "unaffected"
                },
                {
                  "at": "a61124aa625d819a218fb07f90afbac8aa85eb0e",
                  "status": "unaffected"
                }
              ],
              "lessThan": "*",
              "status": "affected",
              "version": "712b875d3442c765d8d37e546ffd5ad9f8afcc55",
              "versionType": "git"
            }
          ]
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3."
    }
  ],
  "id": "CVE-2026-54892",
  "lastModified": "2026-06-23T15:44:39.343",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-54892",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-23T13:03:58.893269Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-23T13:16:43.167",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://cna.erlef.org/cves/CVE-2026-54892.html"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-54892"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-407"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.