Description
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.

With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.

This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.

This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Published: 2026-06-23
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Inefficient algorithmic complexity in Plug's nested‑parameter decoder causes quadratic decoding time. The flaw is limited to the query and URL‑encoded body parsing code in Plug.Conn.Query. An unauthenticated attacker can supply a request such as a[a][a]…=1 with thousands of nested brackets, forcing the server to perform a large number of hash operations. This can exhaust one or more BEAM scheduler threads for minutes, leading to a denial of service. The vendor identifies the issue as CWE‑407 and rates the severity with a CVSS 8.7 score.

Affected Systems

Affected items are the Elixir‑Plug Plug library. The vulnerability exists in plug releases from 1.15.0 up to 1.15.4, 1.16.4, 1.17.2, 1.18.3, and 1.19.3. Any application that depends on these versions and uses Plug.Conn.Query to parse HTTP query strings or form‑encoded bodies is potentially impacted.

Risk and Exploitability

The vulnerability does not require authentication, specific routes, or administrative privileges, making it straightforward for external actors to trigger. While the exact exploitation probability (EPSS) is not reported, the high CVSS 8.7 score and the ability to saturate a BEAM scheduler by sending a single oversized request indicate a significant risk to availability. The check shows the issue is not listed in CISA KEV, but organizations should treat it as a critical availability threat. Rapid deployment of the vendor patch is advised.

Generated by OpenCVE AI on June 23, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Plug 1.15.5 or a later patch that resolves the quadratic decoding issue.
  • Upgrade to Plug 1.16.5 or newer.
  • Upgrade to Plug 1.17.3 or newer.
  • Upgrade to Plug 1.18.4 or newer.
  • Upgrade to Plug 1.19.4 or newer.
  • As an interim mitigation, consider reducing the Plug.Parsers.URLENCODED body size limit below 1,000,000 bytes so that excessively nested requests are rejected before full parsing.

Generated by OpenCVE AI on June 23, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Title Plug: quadratic-time decoding of nested query/body parameters enables denial of service
First Time appeared Elixir-plug
Elixir-plug plug
Weaknesses CWE-407
CPEs cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
Vendors & Products Elixir-plug
Elixir-plug plug
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-plug Plug
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-23T13:04:27.014Z

Reserved: 2026-06-16T10:47:13.915Z

Link: CVE-2026-54892

cve-icon Vulnrichment

Updated: 2026-06-23T13:04:18.295Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-407

    Inefficient Algorithmic Complexity