CVE-2026-54892: CWE-407 Inefficient Algorithmic Complexity in elixir-plug plug
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
AI Analysis
Technical Summary
CVE-2026-54892 describes an inefficient algorithmic complexity vulnerability (CWE-407) in the Plug.Conn.Query.decode/4 and related functions of the elixir-plug library. The vulnerability arises when parsing query strings or application/x-www-form-urlencoded bodies containing keys with many bracketed segments (e.g., a[a][a][a]=1). The decoder performs a map operation for each nesting level, with the cost growing quadratically relative to the number of nesting levels. With the default body size limit, a single request can contain approximately 333,000 nesting levels, saturating a BEAM scheduler for minutes. Multiple concurrent requests can exhaust all schedulers, causing a denial of service. No authentication or route knowledge is required to exploit this. Affected versions include 1.15.0 before 1.15.5, 1.16.0 before 1.16.4, 1.17.0 before 1.17.2, 1.18.0 before 1.18.3, and 1.19.0 before 1.19.3.
Potential Impact
An unauthenticated attacker can cause a denial of service by sending specially crafted requests with deeply nested parameters, leading to high CPU usage and server unresponsiveness. This affects availability of services using vulnerable plug versions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until patches are confirmed, consider limiting the maximum allowed nesting depth in request parameters or applying rate limiting to mitigate potential denial of service. Monitor vendor channels for official fixes.
CVE-2026-54892: CWE-407 Inefficient Algorithmic Complexity in elixir-plug plug
Description
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
CVSS v4.0
Score 8.7high
Affected software
pkg:hex/plugcpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54892 describes an inefficient algorithmic complexity vulnerability (CWE-407) in the Plug.Conn.Query.decode/4 and related functions of the elixir-plug library. The vulnerability arises when parsing query strings or application/x-www-form-urlencoded bodies containing keys with many bracketed segments (e.g., a[a][a][a]=1). The decoder performs a map operation for each nesting level, with the cost growing quadratically relative to the number of nesting levels. With the default body size limit, a single request can contain approximately 333,000 nesting levels, saturating a BEAM scheduler for minutes. Multiple concurrent requests can exhaust all schedulers, causing a denial of service. No authentication or route knowledge is required to exploit this. Affected versions include 1.15.0 before 1.15.5, 1.16.0 before 1.16.4, 1.17.0 before 1.17.2, 1.18.0 before 1.18.3, and 1.19.0 before 1.19.3.
Potential Impact
An unauthenticated attacker can cause a denial of service by sending specially crafted requests with deeply nested parameters, leading to high CPU usage and server unresponsiveness. This affects availability of services using vulnerable plug versions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until patches are confirmed, consider limiting the maximum allowed nesting depth in request parameters or applying rate limiting to mitigate potential denial of service. Monitor vendor channels for official fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-06-16T10:47:13.915Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3a81fdeed863c81e009c49
Added to database: 06/23/2026, 12:54:21 UTC
Last enriched: 06/23/2026, 13:09:16 UTC
Last updated: 06/23/2026, 14:13:46 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.