CVE-2026-54297

Name of the Vulnerable Software and Affected Versions Faraday versions prior to 2.14.2-2-g59334e0

Description Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder, decodes nested query strings without enforcing a maximum nesting depth. An attacker can provide a crafted query string with deeply nested parameters, causing the internal dehash() function to recursively process the structure without a limit. This leads to stack exhaustion, triggering a SystemStackError (stack level too deep) that crashes the calling Ruby thread or worker, resulting in a denial of service. This issue occurs when applications pass untrusted query strings to Faraday::Utils.parse nested query() or during URL construction via the build url() method.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.