CVE-2026-54892
Deferred Deferred - Pending Action
Denial of Service in Plug Nested-Parameter Decoder

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: EEF

Description
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-54892
EUVD
EUVD-2026-38446
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
elixir plug From 1.15.0 (inc) to 1.15.5 (exc)
elixir plug 1.16.4
elixir plug 1.17.2
elixir plug 1.18.3
elixir plug 1.19.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an unauthenticated remote attacker to cause a denial of service on any Plug-based server by sending a single request with deeply nested query parameters. The attack can render the server unresponsive by saturating BEAM schedulers, potentially causing service outages.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service vulnerabilities can indirectly impact compliance by causing service unavailability, which may violate availability requirements in these regulations.

Specifically, regulations like GDPR and HIPAA require organizations to ensure the availability and resilience of their systems to protect personal data. A denial of service attack exploiting this vulnerability could disrupt access to services handling sensitive data, potentially leading to non-compliance with these availability obligations.

Therefore, organizations using affected versions of Plug should apply patches to mitigate this vulnerability to maintain compliance with availability and security requirements in common standards and regulations.

Executive Summary

This vulnerability is caused by inefficient algorithmic complexity in the Plug library's nested-parameter decoder, specifically in the Plug.Conn.Query module. When parsing query strings or application/x-www-form-urlencoded request bodies with deeply nested keys (e.g., a[a][a][a]=1), the decoder performs repeated map operations on increasingly large binary prefixes of the key. This results in quadratic time complexity relative to the nesting depth.

An unauthenticated remote attacker can exploit this by sending a single request with a very deeply nested parameter, causing the BEAM scheduler to be pinned for minutes. Multiple concurrent requests can saturate all schedulers, rendering any Plug-based server unresponsive. No authentication or knowledge of application routes is required to carry out this denial-of-service attack.

Impact Analysis

This vulnerability can severely impact the availability of any Plug-based web service by allowing an attacker to cause a denial of service. A single low-bandwidth request with deeply nested parameters can saturate a BEAM scheduler for minutes, and a small number of concurrent such requests can consume all schedulers.

As a result, the affected server becomes unresponsive, potentially causing downtime and service disruption. This can affect any internet-reachable Plug-based HTTP endpoint, including Phoenix and standalone Elixir/Erlang web applications.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or scheduler saturation on BEAM-based servers (such as those running Elixir Plug applications) when processing HTTP requests with deeply nested query parameters or application/x-www-form-urlencoded bodies.

Specifically, detection involves identifying requests containing query strings or body parameters with excessive nesting, such as keys with many bracketed segments like a[a][a][a]...=1.

While no explicit commands are provided in the resources, network or application-level logging can be used to capture and analyze incoming HTTP requests for deeply nested parameters.

Additionally, monitoring BEAM scheduler utilization and response times can help detect denial-of-service conditions caused by this vulnerability.

Mitigation Strategies

The primary immediate mitigation step is to upgrade the Plug library to a patched version that includes a maximum nesting limit for query parameters.

Patched versions include 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3 or later.

These updates introduce a maximum nesting limit of 32 levels for nested query parameters, which prevents excessive resource consumption and denial-of-service attacks by rejecting requests exceeding this limit.

The mitigation involves updating the Plug library in your application dependencies and redeploying your application.

No other configuration changes or authentication requirements are needed to protect against this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart