Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-54892

Summary
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At-23 Jun, 2026 | 12:31
Updated At-23 Jun, 2026 | 18:21
Rejected At-
Credits

Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:EEF
Assigner Org ID:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:23 Jun, 2026 | 12:31
Updated At:23 Jun, 2026 | 18:21
Rejected At:
▼CVE Numbering Authority (CNA)
Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

Affected Products
Vendor
elixir-plug
Product
plug
Collection URL
https://repo.hex.pm
Package Name
plug
Repo
https://github.com/elixir-plug/plug
CPEs
  • cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Plug.Conn.Query'
Program Files
  • lib/plug/conn/query.ex
Program Routines
  • 'Elixir.Plug.Conn.Query':decode/4
  • 'Elixir.Plug.Conn.Query':decode_each/2
  • 'Elixir.Plug.Conn.Query':split_keys/6
  • 'Elixir.Plug.Conn.Query':insert_keys/3
  • 'Elixir.Plug.Conn.Query':finalize_pointer/2
Default Status
unaffected
Versions
Affected
  • From 1.15.0 before 1.15.5 (semver)
  • From 1.16.0 before 1.16.4 (semver)
  • From 1.17.0 before 1.17.2 (semver)
  • From 1.18.0 before 1.18.3 (semver)
  • From 1.19.0 before 1.19.3 (semver)
Vendor
elixir-plug
Product
plug
Collection URL
https://github.com
Package Name
elixir-plug/plug
Repo
https://github.com/elixir-plug/plug
CPEs
  • cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Plug.Conn.Query'
Program Files
  • lib/plug/conn/query.ex
Program Routines
  • 'Elixir.Plug.Conn.Query':decode/4
  • 'Elixir.Plug.Conn.Query':decode_each/2
  • 'Elixir.Plug.Conn.Query':split_keys/6
  • 'Elixir.Plug.Conn.Query':insert_keys/3
  • 'Elixir.Plug.Conn.Query':finalize_pointer/2
Default Status
unaffected
Versions
Affected
  • From 712b875d3442c765d8d37e546ffd5ad9f8afcc55 before * (git)
    • -> unaffectedfromc317d08fdcf96e17931f7419275b2b8c4bf3e951
    • -> unaffectedfrom9c5d37c440eaae92869eed7c014c47266744fadb
    • -> unaffectedfromd737eb236f17e31a36290e39f9ef3cd86a1343bd
    • -> unaffectedfromd4e5568392a4b29e545b91e12e87d6098f976145
    • -> unaffectedfroma61124aa625d819a218fb07f90afbac8aa85eb0e
Problem Types
TypeCWE IDDescription
CWECWE-407CWE-407 Inefficient Algorithmic Complexity
Type: CWE
CWE ID: CWE-407
Description: CWE-407 Inefficient Algorithmic Complexity
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-229CAPEC-229 Serialized Data Parameter Blowup
CAPEC ID: CAPEC-229
Description: CAPEC-229 Serialized Data Parameter Blowup
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Braidon Whatley
remediation developer
José Valim
analyst
Jonatan Männchen / EEF
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-54892.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-54892
related
https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951
patch
https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb
patch
https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd
patch
https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145
patch
https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e
patch
Hyperlink: https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-54892.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-54892
Resource:
related
Hyperlink: https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951
Resource:
patch
Hyperlink: https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb
Resource:
patch
Hyperlink: https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd
Resource:
patch
Hyperlink: https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145
Resource:
patch
Hyperlink: https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
exploit
Hyperlink: https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:23 Jun, 2026 | 13:16
Updated At:23 Jun, 2026 | 15:44

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels. With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required. This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2. This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
N/A
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-407Secondary6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CWE ID: CWE-407
Type: Secondary
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cna.erlef.org/cves/CVE-2026-54892.html6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e9516b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f9761456b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://osv.dev/vulnerability/EEF-CVE-2026-548926b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://cna.erlef.org/cves/CVE-2026-54892.html
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-54892
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found

CVE-2026-32688
Matching Score-8
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-8
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.7||HIGH
EPSS-0.55% / 41.73%
||
7 Day CHG~0.00%
Published-27 Apr, 2026 | 13:45
Updated-29 Apr, 2026 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node. This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header. This issue affects plug_cowboy: from 2.0.0 before 2.8.1.

Action-Not Available
Vendor-elixir-plug
Product-plug_cowboy
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-59094
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.47% / 37.32%
||
7 Day CHG~0.00%
Published-02 Jul, 2026 | 19:40
Updated-02 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.

Action-Not Available
Vendor-pathwaycom
Product-pathway
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2026-49851
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.35% / 27.03%
||
7 Day CHG+0.10%
Published-24 Jun, 2026 | 17:05
Updated-02 Jul, 2026 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mistune: Potential DoS via quadratic-time parsing in parse_link_text

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.

Action-Not Available
Vendor-leptureRed Hat, Inc.
Product-mistuneMigration Toolkit for Applications 8Red Hat OpenShift AI (RHOAI)Red Hat Satellite 6Red Hat OpenShift Container Platform 4
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-43967
Matching Score-4
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-4
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.7||HIGH
EPSS-0.62% / 45.52%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 15:42
Updated-13 May, 2026 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quadratic fragment-name uniqueness check causes denial of service in absinthe

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2.

Action-Not Available
Vendor-absinthe-graphql
Product-absinthe
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2026-13311
Matching Score-4
Assigner-7ffcee3d-2c14-4c3e-b844-86c6a321a158
ShareView Details
Matching Score-4
Assigner-7ffcee3d-2c14-4c3e-b844-86c6a321a158
CVSS Score-8.7||HIGH
EPSS-0.36% / 28.01%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 04:48
Updated-26 Jun, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
shell-quote parse() is quadratic in token count, enabling denial of service

shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

Action-Not Available
Vendor-shell-quote_projectljharb
Product-shell-quoteshell-quote
CWE ID-CWE-407
Inefficient Algorithmic Complexity
Details not found