CVE-2026-54297: 
Ruby 脆弱性の分析と軽減

CVE-2026-54297 is an uncontrolled recursion vulnerability in Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in the Faraday Ruby HTTP client library. It allows unauthenticated remote attackers to trigger a stack exhaustion denial of service by supplying a crafted deeply nested query string. All versions of Faraday up to and including 2.14.2 are affected; version 2.14.3 contains the fix. The vulnerability was reported by Emre Koca, disclosed on June 18, 2026, and published to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Faraday Advisory).

The root cause is CWE-674 (Uncontrolled Recursion) in lib/faraday/encoders/nested_params_encoder.rb. The dehash method accepts a depth argument but never uses it to enforce a maximum recursion limit, meaning the recursion depth is entirely controlled by the attacker-supplied input. A crafted query string of the form a[x][x][x]...[x]=1 causes Faraday to construct an arbitrarily deep nested Ruby Hash, which the dehash routine then walks recursively until Ruby raises an uncaught SystemStackError: stack level too deep. Two exploitation paths are confirmed: direct use of Faraday::Utils.parse_nested_query(untrusted_string) and normal URL construction via conn.build_url("/search?#{untrusted_string}") — the latter crashes before any network request is made. Public proof-of-concept code is included in the advisory (GitHub Advisory).

Successful exploitation crashes the calling Ruby thread or worker process, resulting in a denial of service for any application that passes attacker-controlled query strings through Faraday's nested parameter parsing or URL-building paths. A payload of approximately 9.4 KB (depth ~3,119 bracket-encoded keys) is sufficient to trigger the crash in tested environments. There is no impact on confidentiality or integrity — no remote code execution, authentication bypass, or data disclosure is possible through this vulnerability (GitHub Advisory, Faraday Advisory).

1. Identify a target application: Find a Ruby application that uses Faraday ≤ 2.14.2 and exposes an endpoint that passes attacker-controlled query strings to Faraday::Utils.parse_nested_query or Faraday::Connection#build_url.
2. Craft the malicious payload: Construct a deeply nested query string such as a[x][x][x]...[x]=1 with approximately 3,119 or more bracket-encoded subkeys (≈9.4 KB). In Ruby: payload = "a#{'[x]' * 3119}=1".
3. Deliver the payload: Send an HTTP request to the target endpoint with the crafted query string as a URL parameter or request body field that the application forwards to Faraday's parsing path.
4. Trigger stack exhaustion: Faraday's dehash routine recursively processes the nested structure without a depth limit, causing Ruby to raise SystemStackError: stack level too deep, crashing the worker thread or process.
5. Repeat for sustained DoS: Send repeated requests with the payload to keep worker processes crashing, causing sustained denial of service against the application (GitHub Advisory).

• Logs: Application error logs containing SystemStackError: stack level too deep originating from lib/faraday/encoders/nested_params_encoder.rb or the dehash method.
• Logs: Web server or application logs showing repeated requests with unusually long query strings containing deeply nested bracket notation (e.g., a%5Bx%5D%5Bx%5D%5Bx%5D... URL-encoded or a[x][x][x]... in raw form).
• Network: Inbound HTTP requests with query strings exceeding ~9 KB composed primarily of repeated [x] bracket patterns.
• Process: Unexpected Ruby worker process crashes or restarts correlated with specific inbound requests containing large query strings (GitHub Advisory).

Upgrade Faraday to version 2.14.3, which introduces a configurable maximum nesting depth (param_depth_limit) in Faraday::NestedParamsEncoder, raising a controlled Faraday::Error instead of allowing stack exhaustion (GitHub Advisory, Faraday Advisory). As a workaround prior to patching, applications should validate and reject query strings with excessive nesting depth before passing them to Faraday, or use a web framework middleware (e.g., Rack's param_depth_limit) to enforce depth limits at the ingress layer. Avoid passing raw, unvalidated user-supplied query strings directly to Faraday::Utils.parse_nested_query or build_url.

The vulnerability was reported privately by researcher Emre Koca through GitHub Security Advisories and triaged by Faraday maintainer iMacTia, who published the advisory on June 18, 2026. The advisory notes that the fix mirrors the approach used by Rack's param_depth_limit, a well-established pattern in the Ruby ecosystem for preventing this class of attack. No significant broader media coverage or social media discussion has been identified beyond the official advisory (Faraday Advisory).