U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2026-54892

Change History

New CVE Received from EEF 6/23/2026 9:16:43 AM

Action Type Old Value New Value
Added Description

                  
                
              
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.

With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.

This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.

This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Added CVSS V4.0

                  
                
              
AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added CWE

                  
                
              
CWE-407
Added Reference

                  
                
              
https://cna.erlef.org/cves/CVE-2026-54892.html
Added Reference

                  
                
              
https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb
Added Reference

                  
                
              
https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e
Added Reference

                  
                
              
https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951
Added Reference

                  
                
              
https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145
Added Reference

                  
                
              
https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd
Added Reference

                  
                
              
https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
Added Reference

                  
                
              
https://osv.dev/vulnerability/EEF-CVE-2026-54892
Added Affected

                  
                
              
[{"vendor":"elixir-plug","product":"plug","defaultStatus":"unaffected","collectionURL":"https://repo.hex.pm","packageName":"plug","cpes":["cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"],"modules":["'Elixir.Plug.Conn.Query'"],"programFiles":["lib/plug/conn/query.ex"],"programRoutines":[{"name":"'Elixir.Plug.Conn.Query':decode/4"},{"name":"'Elixir.Plug.Conn.Query':decode_each/2"},{"name":"'Elixir.Plug.Conn.Query':split_keys/6"},{"name":"'Elixir.Plug.Conn.Query':insert_keys/3"},{"name":"'Elixir.Plug.Conn.Query':finalize_pointer/2"}],"repo":"https://github.com/elixir-plug/plug","packageURL":"pkg:hex/plug","versions":[{"version":"1.15.0","lessThan":"1.15.5","versionType":"semver","status":"affected"},{"version":"1.16.0","lessThan":"1.16.4","versionType":"semver","status":"affected"},{"version":"1.17.0","lessThan":"1.17.2","versionType":"semver","status":"affected"},{"version":"1.18.0","lessThan":"1.18.3","versionType":"semver","status":"affected"},{"version":"1.19.0","lessThan":"1.19.3","versionType":"semver","status":"affected"}]},{"vendor":"elixir-plug","product":"plug","defaultStatus":"unaffected","collectionURL":"https://github.com","packageName":"elixir-plug/plug","cpes":["cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"],"modules":["'Elixir.Plug.Conn.Query'"],"programFiles":["lib/plug/conn/query.ex"],"programRoutines":[{"name":"'Elixir.Plug.Conn.Query':decode/4"},{"name":"'Elixir.Plug.Conn.Query':decode_each/2"},{"name":"'Elixir.Plug.Conn.Query':split_keys/6"},{"name":"'Elixir.Plug.Conn.Query':insert_keys/3"},{"name":"'Elixir.Plug.Conn.Query':finalize_pointer/2"}],"repo":"https://github.com/elixir-plug/plug","packageURL":"pkg:github/elixir-plug/plug","versions":[{"version":"712b875d3442c765d8d37e546ffd5ad9f8afcc55","lessThan":"*","versionType":"git","status":"affected","changes":[{"at":"c317d08fdcf96e17931f7419275b2b8c4bf3e951","status":"unaffected"},{"at":"9c5d37c440eaae92869eed7c014c47266744fadb","status":"unaffected"},{"at":"d737eb236f17e31a36290e39f9ef3cd86a1343bd","status":"unaffected"},{"at":"d4e5568392a4b29e545b91e12e87d6098f976145","status":"unaffected"},{"at":"a61124aa625d819a218fb07f90afbac8aa85eb0e","status":"unaffected"}]}]}]