Description
Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths. This vulnerability is fixed in 1.10.6 and 2.14.3.
Published: 2026-06-24
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Faraday's nested query parameter decoder can recursively walk an attacker‑controlled hash without a depth limit. When a crafted query string is passed to the encoder, Ruby ultimately throws an uncaught SystemStackError, terminating the thread or worker and causing the application to become unavailable. The flaw is a classic uncontrolled recursion issue identified as CWE‑674 and poses a pure denial‑of‑service risk with no direct impact on confidentiality or integrity.

Affected Systems

The vulnerability affects the Faraday HTTP client library from the lostisland vendor. Versions from the initial release 1.0.0 up to but excluding 1.10.6, and similarly the 2.x series up to but excluding 2.14.3, are impacted. All later releases include the fix.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity potential for Denial of Service. The EPSS score is not available, so no quantitative exploitation likelihood can be claimed, and the CVE is not listed in the CISA KEV catalog. The flaw can be leveraged by an attacker who can govern the query string sent to an application using Faraday, making the risk most pronounced for API endpoints or services that forward user‑supplied URLs directly. The lack of depth control means anyone able to craft deep query parameters could induce a stack overflow, crash application threads, and disrupt service availability.

Generated by OpenCVE AI on June 24, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Faraday to the fixed release 1.10.6 or later in the 2.x series
  • Apply a custom wrapper around Faraday::NestedParamsEncoder that limits nesting depth before parsing the query string
  • Add monitoring for SystemStackError exceptions and implement graceful recovery or restart of affected services

Generated by OpenCVE AI on June 24, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-98m9-hrrm-r99r Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters
History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Lostisland
Lostisland faraday
Vendors & Products Lostisland
Lostisland faraday

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths. This vulnerability is fixed in 1.10.6 and 2.14.3.
Title Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lostisland Faraday
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T15:50:08.949Z

Reserved: 2026-06-12T17:46:37.293Z

Link: CVE-2026-54297

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T15:50:08Z

Links: CVE-2026-54297 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses
  • CWE-674

    Uncontrolled Recursion

  • CWE-770

    Allocation of Resources Without Limits or Throttling