Compliance Impact

This vulnerability causes a denial of service (DoS) by crashing the application thread or worker when processing deeply nested query parameters. It does not lead to data disclosure, authentication bypass, or remote code execution.

Since the vulnerability does not expose or compromise sensitive data, it does not directly impact compliance with data protection regulations such as GDPR or HIPAA. However, the denial of service could affect the availability of services, which may indirectly influence compliance if service availability is a regulatory requirement.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-54297 is a vulnerability in the Faraday HTTP client library's NestedParamsEncoder component. This component decodes nested query strings without limiting how deeply nested they can be. An attacker can craft a malicious query string that creates a very deeply nested Ruby hash structure.

When Faraday processes this deeply nested structure, it recursively walks through it without any depth limit, causing Ruby to raise a SystemStackError due to stack exhaustion (stack level too deep). This error crashes the thread or worker handling the request.

This leads to a denial of service (DoS) condition in applications that use Faraday to parse or build URLs from attacker-controlled query strings. The vulnerability affects Faraday versions from 1.0.0 up to 1.10.5 and 2.14.2, and it is fixed in versions 1.10.6 and 2.14.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause denial of service (DoS) in applications that use Faraday to handle nested query parameters. An attacker can send a specially crafted query string that triggers a stack overflow error, crashing the thread or worker processing the request.

Because the attack requires no authentication or user interaction and can be triggered remotely with a relatively small payload, it can disrupt the availability of services relying on Faraday for HTTP requests.

The impact is limited to availability; it does not allow remote code execution, data disclosure, or authentication bypass.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or SystemStackError exceptions in applications using Faraday versions between 1.0.0 and 2.14.2 when processing nested query parameters.

Detection can involve sending crafted HTTP requests with deeply nested query strings, such as repeated nested parameters like "a[x][x][x]...[x]=1", to see if the application crashes or raises stack level too deep errors.

There are no specific commands provided in the resources, but a practical approach is to use tools like curl or HTTP clients to send such crafted requests and observe application behavior.

• Example curl command to test for the vulnerability: curl "http://target.url/?a[x][x][x][x][x][x][x][x][x][x]=1"

Monitoring application logs for SystemStackError or stack level too deep exceptions during query parameter parsing can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Faraday to version 1.10.6 or 2.14.3 or later, where the vulnerability is fixed by enforcing a maximum nesting depth limit on nested query parameters.

If upgrading is not immediately possible, consider implementing input validation or limiting the depth of nested query parameters before they reach Faraday.

Additionally, monitor and block suspicious requests with deeply nested query strings at the network or application firewall level to reduce exposure.

Useful 0 Not Useful 0