Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote unauthenticated HTTP request with no user interaction triggers quadratic decode; only availability is impacted, no confidentiality or integrity loss, no scope change.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.
With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.
This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.
This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
AnalysisAI
Denial of service in Elixir Plug 1.15.0 through 1.19.2 allows unauthenticated remote attackers to saturate BEAM schedulers by sending HTTP requests with deeply nested bracket-style query parameters (e.g. a[a][a]...=1). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must run Plug 1.15.0 through 1.19.2 and accept HTTP requests whose query strings or application/x-www-form-urlencoded bodies pass through Plug.Conn.Query.decode (the default for any route using Plug.Parsers with :urlencoded, including essentially all Phoenix endpoints). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N rating 8.7 (High) is well-aligned with reality: the attack is remote, unauthenticated, requires no user interaction, and only impacts availability (VA:H, with VC and VI = N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a small number of concurrent HTTP POST or GET requests carrying a query string or form body like a[a][a]...[a]=1 with ~333,000 nesting levels, fitting in the default 1 MB body limit. Each request pins a BEAM scheduler in Plug.Conn.Query.decode for minutes, and a handful of parallel requests saturate every scheduler thread, rendering the Phoenix or Plug service unresponsive to all users. … |
| Remediation | Vendor-released patch: upgrade Plug to 1.15.5, 1.16.4, 1.17.2, 1.18.3, or 1.19.3 (whichever matches your minor line) - these introduce a hard 32-level nesting cap that raises Plug.Conn.InvalidQueryError, per the GHSA-j43x-5hjq-rgxf advisory and commits c317d08, 9c5d37c, d737eb2, d4e5568, and a61124a in https://github.com/elixir-plug/plug. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Elixir Plug versions 1.15.0-1.19.2 and document inventory; obtain vendor advisory specifying patched versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization fu
Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes
Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to null byte injection in the Plug.Static component,
Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie v
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38446