PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54297 Faraday Project CVE debrief

CVE-2026-54297 is a HIGH severity vulnerability in Faraday, an HTTP client library abstraction layer. The vulnerability allows for denial of service via a deeply nested Ruby Hash structure. Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths.

Vendor
Faraday Project
Product
Faraday
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-30
Advisory published
2026-06-24
Advisory updated
2026-06-30

Who should care

Developers and administrators using Faraday versions between 1.0.0 and 1.10.6 or 2.0.0 and 2.14.3 should be aware of this vulnerability. Applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths are potentially vulnerable to denial of service.

Technical summary

The vulnerability exists in Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday. The encoder decodes nested query strings without enforcing a maximum nesting depth, allowing an attacker to craft a query string that causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit, potentially leading to a SystemStackError (stack level too deep) and denial of service.

Defensive priority

High priority should be given to updating Faraday to versions 1.10.6 or 2.14.3. In the meantime, developers should validate and sanitize query strings to prevent deeply nested structures.

Recommended defensive actions

  • Update Faraday to version 1.10.6 or 2.14.3
  • Validate and sanitize query strings to prevent deeply nested structures
  • Implement input validation and error handling to mitigate denial of service attacks
  • Monitor applications for potential denial of service attacks
  • Review and update application code to ensure secure use of Faraday

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional information on the vulnerability, including references to mitigation and vendor advisories.

Official resources

This article is AI-assisted and based on the supplied source corpus.