Intel

AIKIDO-2026-875853

plug is vulnerable to Inefficient Algorithmic Complexity

Inefficient Algorithmic ComplexityCVE-2026-54892 Published Jun 25, 2026

87

High Risk

This Affects:

elixirplug
1.15.0 - 1.15.4
Fixed in 1.15.5
1.16.0 - 1.16.3
Fixed in 1.16.4
1.17.0 - 1.17.1
Fixed in 1.17.2
1.18.0 - 1.18.2
Fixed in 1.18.3
1.19.0 - 1.19.2
Fixed in 1.19.3
Are you affected? Scan for Free

TL;DR

Affected versions of Plug are vulnerable to a denial-of-service (DoS) issue because the nested parameter decoder processes deeply nested URL-encoded parameters with quadratic time complexity. A remote attacker can send a specially crafted request to consume excessive CPU resources and make a Plug-based application unresponsive without authentication.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

plug is vulnerable to Inefficient Algorithmic Complexity in versions 1.15.0 - 1.15.4, 1.16.0 - 1.16.3, 1.17.0 - 1.17.1, 1.18.0 - 1.18.2 and 1.19.0 - 1.19.2.

How to fix this

Upgrade the plug library to the patch version.