CVE-2026-54892 in plug
Summary
by MITRE • 06/23/2026
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.
With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.
This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.
This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability described represents a critical denial of service weakness in the Plug web framework's query parameter parsing mechanism, specifically within the nested-parameter decoder implementation. This flaw exists in the way Plug.Conn.Query.decode/4 and Plug.Conn.Query.decode_each/2 functions process complex nested bracketed parameters in query strings and form-encoded request bodies. The issue stems from an inefficient algorithmic approach that creates exponential computational overhead when handling deeply nested parameter structures, making it particularly dangerous for remote attackers who can exploit this weakness without authentication or knowledge of application routes.
The technical implementation flaw manifests in the decoder's handling of bracketed parameter keys where each nesting level triggers a map operation using an increasingly long binary prefix as the key. As the algorithm processes each bracketed segment, it performs hashing operations on progressively larger byte ranges, resulting in quadratic time complexity behavior. This means that when processing a parameter like a[a][a][a]=1 with multiple nested brackets, the computational cost grows exponentially rather than linearly with respect to nesting depth. The algorithmic inefficiency is further amplified by the fact that each bracketed segment requires a separate hash operation on the complete key prefix accumulated so far.
The operational impact of this vulnerability extends beyond simple resource exhaustion to potentially render entire Plug-based web servers completely unresponsive for extended periods. Under default configuration with a 1,000,000 byte limit for application/x-www-form-urlencoded bodies, an attacker can construct a single request containing approximately 333,000 nesting levels that will consume all available BEAM schedulers for minutes at a time. The severity is compounded by the fact that only a small number of concurrent malicious requests are sufficient to saturate all schedulers and bring the entire server infrastructure to a halt, making this attack vector particularly effective in distributed environments where multiple concurrent connections can be established.
The vulnerability's exploitability characteristics align with common denial of service patterns identified in cybersecurity frameworks such as those referenced in CWE-400 and ATT&CK techniques related to resource exhaustion and system instability. The fact that no authentication is required makes this attack extremely dangerous for publicly accessible web applications, as attackers can target any Plug-based server without prior access or knowledge of the specific application structure. This vulnerability affects multiple versions of the Plug framework across major release lines, indicating a widespread exposure that requires urgent attention from developers and security teams managing applications built on this technology stack.
Mitigation strategies should focus on both immediate patching of affected versions and implementation of defensive measures such as request rate limiting, parameter size restrictions, and input validation at the application level. The recommended approach involves upgrading to patched versions of Plug framework releases (1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3) while implementing additional safeguards such as setting reasonable limits on parameter nesting levels and monitoring for unusual request patterns that might indicate exploitation attempts. Security teams should also consider implementing network-level protections to detect and block suspicious query parameter structures before they reach the application layer.
The vulnerability demonstrates how seemingly innocuous parsing logic can create catastrophic performance issues when combined with inadequate input validation and resource management. This type of algorithmic complexity attack represents a class of problems that frequently appear in web frameworks where parsing routines must handle arbitrary user input while maintaining reasonable performance characteristics, making it essential for developers to understand the computational implications of their parsing algorithms and implement appropriate safeguards against such attacks.