EXECUTIVE SUMMARY:
CVE-2026-54297 with a CVSS score of 7.5 is a denial‑of‑service flaw in the Ruby Faraday HTTP client library affecting all releases up to and including. The vulnerability resides in Faraday::NestedParamsEncoder, which decodes nested query strings without enforcing a maximum nesting depth; a crafted query such as a[x][x]…[x]=1 creates an arbitrarily deep Ruby hash that the internal dehash routine walks recursively. An attacker who can supply or influence the query string—either by directly calling Faraday::Utils.parse_nested_query or by triggering Faraday’s URL‑building path—can cause the recursive walk to exceed the Ruby interpreter’s stack limit, raising an uncaught SystemStackError and crashing the processing thread. The attacker gains the ability to exhaust server resources and render the affected service unavailable, leading to loss of availability, potential SLA penalties, and degraded user experience. Exploitation requires only network‑level input of a deeply nested parameter; no authentication, privileged access, or additional vulnerabilities are needed, and the impact is confined to denial of service without data leakage or code execution.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-54297 with a CVSS score of 7.5 is a denial‑of‑service flaw in the Ruby Faraday HTTP client library affecting all releases up to and including. The vulnerability resides in Faraday::NestedParamsEncoder, which decodes nested query strings without enforcing a maximum nesting depth; a crafted query such as a[x][x]…[x]=1 creates an arbitrarily deep Ruby hash that the internal dehash routine walks recursively. An attacker who can supply or influence the query string—either by directly calling Faraday::Utils.parse_nested_query or by triggering Faraday’s URL‑building path—can cause the recursive walk to exceed the Ruby interpreter’s stack limit, raising an uncaught SystemStackError and crashing the processing thread. The attacker gains the ability to exhaust server resources and render the affected service unavailable, leading to loss of availability, potential SLA penalties, and degraded user experience. Exploitation requires only network‑level input of a deeply nested parameter; no authentication, privileged access, or additional vulnerabilities are needed, and the impact is confined to denial of service without data leakage or code execution.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-98m9-hrrm-r99r