{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/faraday--2.14.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Faraday (\u003c= 2.14.2)"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","web-vulnerability","ruby","faraday","ghsa","cve"],"_cs_type":"advisory","_cs_vendors":["Faraday Project"],"content_html":"\u003cp\u003eThe \u003ccode\u003eFaraday::NestedParamsEncoder\u003c/code\u003e component within the Faraday Ruby HTTP client library, affecting versions up to \u003ccode\u003e2.14.2\u003c/code\u003e, contains a critical vulnerability (CVE-2026-54297) that allows for a denial-of-service (DoS) attack. This vulnerability stems from uncontrolled recursion in its \u003ccode\u003edehash\u003c/code\u003e routine when processing deeply nested query parameters, such as \u003ccode\u003ea[x][x][x]...[x]=1\u003c/code\u003e. An attacker can send a specially crafted, relatively small (around 9.4 KB) HTTP request containing such a query string to an application that utilizes Faraday for parsing or building URLs. This input causes the Ruby process to build an excessively deep \u003ccode\u003eHash\u003c/code\u003e structure, exhausting the call stack and leading to a \u003ccode\u003eSystemStackError\u003c/code\u003e, effectively crashing the calling thread or worker. This issue impacts the availability of affected applications and does not require authentication or user interaction to exploit.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP request containing an excessively deeply nested query parameter, for example, \u003ccode\u003eGET /search?a[x][x][x]...[x]=1 HTTP/1.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application receives the HTTP request and, as part of its processing, passes the attacker-controlled query string to a Faraday function like \u003ccode\u003eFaraday::Utils.parse_nested_query\u003c/code\u003e or \u003ccode\u003econn.build_url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFaraday's \u003ccode\u003eNestedParamsEncoder\u003c/code\u003e, specifically the \u003ccode\u003edehash\u003c/code\u003e internal routine, begins recursively processing the deeply nested query parameter structure.\u003c/li\u003e\n\u003cli\u003eDue to the absence of a maximum nesting depth limit within the \u003ccode\u003edehash\u003c/code\u003e function, the recursion depth is solely controlled by the attacker's input.\u003c/li\u003e\n\u003cli\u003eThe deep recursion exhausts the Ruby process's call stack.\u003c/li\u003e\n\u003cli\u003eThe Ruby interpreter raises an uncaught \u003ccode\u003eSystemStackError\u003c/code\u003e (indicating \u0026quot;stack level too deep\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSystemStackError\u003c/code\u003e causes the application's calling thread or worker to crash, leading to a denial-of-service condition for that specific process or the entire application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54297 results in a denial-of-service against the targeted application. A small, crafted query string of approximately 9.4 KB can trigger a \u003ccode\u003eSystemStackError\u003c/code\u003e in the Ruby runtime, crashing the process or thread handling the request. Repeated requests with such payloads can lead to a prolonged outage for any application that exposes Faraday's parameter parsing or URL-building paths to untrusted input. The vulnerability does not allow for remote code execution, authentication bypass, or data disclosure; its confirmed impact is limited to availability loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Faraday:\u003c/strong\u003e Immediately upgrade the Faraday gem to a patched version once available. Monitor the official Faraday GitHub repository and RubyGems for security advisories and releases addressing CVE-2026-54297.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement web application firewall (WAF) rules:\u003c/strong\u003e Deploy WAF rules to detect and block HTTP requests containing an excessive number of \u003ccode\u003e[x]\u003c/code\u003e or similar nested array/hash markers in query parameters, as indicated in the \u003ccode\u003eDetects CVE-2026-54297 exploitation\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication-level input validation:\u003c/strong\u003e Implement strict input validation in applications that utilize Faraday to parse or build URLs from external input, specifically limiting the maximum depth of nested query parameters.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief to your SIEM:\u003c/strong\u003e Tune the \u003ccode\u003eDetects CVE-2026-54297 exploitation\u003c/code\u003e rule for your environment to identify attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T20:02:35Z","date_published":"2026-06-19T20:02:35Z","id":"https://feed.craftedsignal.io/briefs/2026-06-faraday-dos-recursion/","summary":"An unauthenticated attacker can trigger a denial-of-service condition in applications using the Faraday Ruby library by sending deeply nested query parameters (CVE-2026-54297), leading to `SystemStackError` and application crashes due to uncontrolled recursion.","title":"Faraday: Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS","url":"https://feed.craftedsignal.io/briefs/2026-06-faraday-dos-recursion/"}],"language":"en","title":"CraftedSignal Threat Feed - Faraday (\u003c= 2.14.2)","version":"https://jsonfeed.org/version/1.1"}