CVE-2026-54892

Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-407 — CWE-407 Inefficient Algorithmic Complexity

CAPEC

• CAPEC-229 — CAPEC-229 Serialized Data Parameter Blowup

CVSS 4.0 Score

8.7

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability description

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.

With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.

This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.

This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

Affected

pkg:hex/plug

Module	Source File	Routine
Plug.Conn.Query	lib/plug/conn/query.ex	Plug.Conn.Query.decode/4
		Plug.Conn.Query.decode_each/2
		Plug.Conn.Query.split_keys/6
		Plug.Conn.Query.insert_keys/3
		Plug.Conn.Query.finalize_pointer/2

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	1.15.0	< 1.15.5
affected	semver ⓘ	1.16.0	< 1.16.4
affected	semver ⓘ	1.17.0	< 1.17.2
affected	semver ⓘ	1.18.0	< 1.18.3
affected	semver ⓘ	1.19.0	< 1.19.3

pkg:github/elixir-plug/plug

Module	Source File	Routine
Plug.Conn.Query	lib/plug/conn/query.ex	Plug.Conn.Query.decode/4
		Plug.Conn.Query.decode_each/2
		Plug.Conn.Query.split_keys/6
		Plug.Conn.Query.insert_keys/3
		Plug.Conn.Query.finalize_pointer/2

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	712b875d34	unaffected at c317d08fdc unaffected at 9c5d37c440 unaffected at d737eb236f unaffected at d4e5568392 unaffected at a61124aa62

References

• https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-54892 related
• https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951 patch
• https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb patch
• https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd patch
• https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145 patch
• https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e patch

Credits

• Finder: Braidon Whatley
• Remediation developer: José Valim
• Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-54892.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-54892.json