SCA: security update for faraday (GHSA-98m9-hrrm-r99r)

high Tenable Cloud Security Plugin ID 443627

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters.
From 1.0.0 until 1.10.6 and 2.14.3, Faraday::NestedParamsEncoder, the default nested query parameter
encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A
crafted query string causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash
routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient
depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or
worker. This can lead to denial of service in applications that pass attacker-controlled query strings to
Faraday's nested query parsing or URL-building paths. This vulnerability is fixed in 1.10.6 and 2.14.3.
(CVE-2026-54297)

Solution

Update the faraday library and its related packages to version 1.10.6 or later.

See Also

https://github.com/advisories/GHSA-98m9-hrrm-r99r

Plugin Details

Severity: High

ID: 443627

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 6/20/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-54297

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/19/2026

Vulnerability Publication Date: 6/19/2026

Reference Information

CVE: CVE-2026-54297

cwe: CWE-674