CVE-2026-54892
HighCVSS 8.7Summary
Plug has an efficiency issue in the nested-parameter decoder that allows an unauthenticated remote attacker to cause denial of service. The decoding algorithm's complexity is quadratic in relation to the number of nesting levels, which can lead to server unresponsiveness.
Risk Assessment
An attacker can exploit this vulnerability to overload the server, resulting in its unavailability. Only the ability to send a specific request is required, with no authentication needed.
Recommendation
It is recommended to update Plug to versions 1.15.5, 1.16.4, 1.17.2, 1.18.3, or 1.19.3 to mitigate this vulnerability. Additionally, consider limiting the number of nestings in queries.
Original NVD description (English source)
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

