Plug: quadratic-time decoding of nested query/body parameters enables denial of...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.

With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.

This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.

This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

AI Analysis

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service

Basic Information

ID CVE-2026-54892

Source EEF

Published Jun 23, 2026 at 12:31

Affected Product

Vendor elixir-plug

Product plug

Version 1.15.0

Affected Versions elixir-plug plug 1.15.0
elixir-plug plug 1.16.0
elixir-plug plug 1.17.0
elixir-plug plug 1.18.0
elixir-plug plug 1.19.0
elixir-plug plug 712b875d3442c765d8d37e546ffd5ad9f8afcc55

CWE Classification

CWE-407

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Elixir-Plug

Product Plug

Version 1.15.0, 1.16.0, 1.16.4, 1.17.0, 1.17.2, 1.18.0, 1.18.3, 1.19.0, 1.19.3

References

{
    "lastseen": "",
    "description": "Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.",
    "published": "2026-06-23T12:31:12.629Z",
    "modified": "2026-06-23T12:31:12.629Z",
    "type": "cve",
    "title": "Plug: quadratic-time decoding of nested query/body parameters enables denial of service",
    "source": "EEF",
    "references": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf\nhttps://cna.erlef.org/cves/CVE-2026-54892.html\nhttps://osv.dev/vulnerability/EEF-CVE-2026-54892\nhttps://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951\nhttps://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb\nhttps://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd\nhttps://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145\nhttps://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e",
    "id": "CVE-2026-54892",
    "bulletinFamily": "",
    "cwe": [
        "CWE-407"
    ],
    "cvelist": null,
    "sourceData": "elixir-plug plug 1.15.0\nelixir-plug plug 1.16.0\nelixir-plug plug 1.17.0\nelixir-plug plug 1.18.0\nelixir-plug plug 1.19.0\nelixir-plug plug 712b875d3442c765d8d37e546ffd5ad9f8afcc55",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "plug",
    "version": "1.15.0",
    "vendor": "elixir-plug",
    "ai_description": "Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service",
    "ai_severity": "High",
    "ai_vendor": "Elixir-Plug",
    "ai_product": "Plug",
    "ai_version": "1.15.0, 1.16.0, 1.16.4, 1.17.0, 1.17.2, 1.18.0, 1.18.3, 1.19.0, 1.19.3",
    "ai_score": 8.7
}

Plug: quadratic-time decoding of nested query/body parameters enables denial of service_CVE-2026-54892