PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54892 elixir-plug CVE debrief

CVE-2026-54892 is a high-severity vulnerability in Plug's nested-parameter decoder. An unauthenticated remote attacker can exploit this issue to cause a denial of service. The vulnerability arises from inefficient algorithmic complexity in the decoder, which can lead to a denial of service when a key contains many bracketed segments. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3. The CVSS score for this vulnerability is 8.7, indicating a high severity. The vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.

Vendor
elixir-plug
Product
plug
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-23
Original CVE updated
2026-06-23
Advisory published
2026-06-23
Advisory updated
2026-06-23

Who should care

This vulnerability affects users of the Plug library, particularly those who use the Plug.Conn.Query.decode/4 and Plug.Conn.Query.decode_each/2 functions. Any application that uses these functions to parse query strings or application/x-www-form-urlencoded request bodies is potentially vulnerable. Users of Plug versions 1.15.0 through 1.15.4, 1.16.0 through 1.16.3, 1.17.0 through 1.17.1, 1.18.0 through 1.18.2, and 1.19.0 through 1.19.2 should take immediate action to upgrade to a patched version.

Technical summary

The vulnerability in Plug's nested-parameter decoder arises from the decoder's inefficient handling of keys with many bracketed segments. When a key contains many bracketed segments, such as a[a][a][a]=1, the decoder walks the brackets and performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. This results in a total decode cost that is quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive.

Defensive priority

High priority should be given to upgrading to a patched version of Plug. In the meantime, defenders can consider limiting the size of request bodies and monitoring for suspicious traffic patterns.

Recommended defensive actions

  • Upgrade to a patched version of Plug (1.15.5, 1.16.4, 1.17.2, 1.18.3, or 1.19.3).
  • Limit the size of request bodies to prevent large payloads from being processed.
  • Monitor for suspicious traffic patterns that may indicate an attempted exploit.
  • Consider implementing rate limiting or IP blocking to prevent abuse.
  • Review and update application code to ensure that it is not vulnerable to this issue.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and affected versions. The source item URL provides additional information on the vulnerability, including references to related commits and advisories.

Official resources

This article was generated with AI assistance based on the supplied source corpus.