Skip to main content

Elixir Plug EUVDEUVD-2026-38446

| CVE-2026-54892 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-06-23 EEF
8.7
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote unauthenticated HTTP request with no user interaction triggers quadratic decode; only availability is impacted, no confidentiality or integrity loss, no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 13:08 vuln.today
Analysis Generated
Jun 23, 2026 - 13:08 vuln.today

DescriptionCVE.org

Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.

With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.

This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.

This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.

AnalysisAI

Denial of service in Elixir Plug 1.15.0 through 1.19.2 allows unauthenticated remote attackers to saturate BEAM schedulers by sending HTTP requests with deeply nested bracket-style query parameters (e.g. a[a][a]...=1). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Plug/Phoenix endpoint
Delivery
Craft deeply bracketed query body
Exploit
Send concurrent HTTP requests
Execution
Trigger quadratic decode in Plug.Conn.Query
Persist
Saturate BEAM schedulers
Impact
Service becomes unresponsive

Vulnerability AssessmentAI

Exploitation The target must run Plug 1.15.0 through 1.19.2 and accept HTTP requests whose query strings or application/x-www-form-urlencoded bodies pass through Plug.Conn.Query.decode (the default for any route using Plug.Parsers with :urlencoded, including essentially all Phoenix endpoints). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N rating 8.7 (High) is well-aligned with reality: the attack is remote, unauthenticated, requires no user interaction, and only impacts availability (VA:H, with VC and VI = N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a small number of concurrent HTTP POST or GET requests carrying a query string or form body like a[a][a]...[a]=1 with ~333,000 nesting levels, fitting in the default 1 MB body limit. Each request pins a BEAM scheduler in Plug.Conn.Query.decode for minutes, and a handful of parallel requests saturate every scheduler thread, rendering the Phoenix or Plug service unresponsive to all users. …
Remediation Vendor-released patch: upgrade Plug to 1.15.5, 1.16.4, 1.17.2, 1.18.3, or 1.19.3 (whichever matches your minor line) - these introduce a hard 32-level nesting cap that raises Plug.Conn.InvalidQueryError, per the GHSA-j43x-5hjq-rgxf advisory and commits c317d08, 9c5d37c, d737eb2, d4e5568, and a61124a in https://github.com/elixir-plug/plug. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Elixir Plug versions 1.15.0-1.19.2 and document inventory; obtain vendor advisory specifying patched versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy