EEF-CVE-2026-54892

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-54892.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-54892.json

JSON Data

https://api.test.osv.dev/v1/vulns/EEF-CVE-2026-54892

Aliases

CVE-2026-54892
GHSA-j43x-5hjq-rgxf

Published

2026-06-23T12:31:12.629Z

Modified

2026-06-23T18:21:14.232Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Details

Summary

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.

With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.

This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.

This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

Database specific

{
    "cwe_ids": [
        "CWE-407"
    ],
    "cpe_ids": [
        "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-229"
    ]
}

References

Credits

- Braidon Whatley - FINDER
- José Valim - REMEDIATION_DEVELOPER
- Jonatan Männchen / EEF - ANALYST

Affected packages

Hex / plug

Package

Name: plug
Purl: pkg:hex/plug

Affected ranges

Type: SEMVER
Events: Introduced

1.15.0

Fixed

1.15.5

Type: SEMVER
Events: Introduced

1.16.0

Fixed

1.16.4

Type: SEMVER
Events: Introduced

1.17.0

Fixed

1.17.2

Type: SEMVER
Events: Introduced

1.18.0

Fixed

1.18.3

Type: SEMVER
Events: Introduced

1.19.0

Fixed

1.19.3

Affected versions

1.*

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.16.0

1.16.1

1.16.2

1.16.3

1.17.0

1.17.1

1.18.0

1.18.1

1.18.2

1.19.0

1.19.1

1.19.2

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-54892.json"

Git / github.com/elixir-plug/plug

Affected ranges

Type: GIT
Repo: https://github.com/elixir-plug/plug
Events: Introduced

712b875d3442c765d8d37e546ffd5ad9f8afcc55

Fixed

c317d08fdcf96e17931f7419275b2b8c4bf3e951

Fixed

9c5d37c440eaae92869eed7c014c47266744fadb

Fixed

d737eb236f17e31a36290e39f9ef3cd86a1343bd

Fixed

d4e5568392a4b29e545b91e12e87d6098f976145

Fixed

a61124aa625d819a218fb07f90afbac8aa85eb0e

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-54892.json"