PatchSiren cyber security CVE debrief
CVE-2026-54297 Faraday Project CVE debrief
CVE-2026-54297 is a HIGH severity vulnerability in Faraday, an HTTP client library abstraction layer. The vulnerability allows for denial of service via a deeply nested Ruby Hash structure. Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths.
- Vendor
- Faraday Project
- Product
- Faraday
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Faraday versions between 1.0.0 and 1.10.6 or 2.0.0 and 2.14.3 should be aware of this vulnerability. Applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths are potentially vulnerable to denial of service.
Technical summary
The vulnerability exists in Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday. The encoder decodes nested query strings without enforcing a maximum nesting depth, allowing an attacker to craft a query string that causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit, potentially leading to a SystemStackError (stack level too deep) and denial of service.
Defensive priority
High priority should be given to updating Faraday to versions 1.10.6 or 2.14.3. In the meantime, developers should validate and sanitize query strings to prevent deeply nested structures.
Recommended defensive actions
- Update Faraday to version 1.10.6 or 2.14.3
- Validate and sanitize query strings to prevent deeply nested structures
- Implement input validation and error handling to mitigate denial of service attacks
- Monitor applications for potential denial of service attacks
- Review and update application code to ensure secure use of Faraday
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional information on the vulnerability, including references to mitigation and vendor advisories.
Official resources
-
CVE-2026-54297 CVE record
CVE.org
-
CVE-2026-54297 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.