VulnerableCode Package Details - pkg:hex/plug@0.12.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-7ryv-jjw4-b7gh Aliases: CVE-2017-1000053 GHSA-5v4m-c73v-c7gq	Arbitrary Code Execution in Cookie Serialization The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is signed and this attack can only be exploited if the attacker has access to your secret key as well as your signing/encryption salts. We recommend users to change their secret key base and salts if they suspect they have been leaked, regardless of this vulnerability.	1.0.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.1.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.2.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.3.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-dp5c-pz39-ckhp Aliases: CVE-2017-1000052 GHSA-2q6v-32mr-8p8x	Null Byte Injection in Plug.Static Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.	1.0.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.1.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.2.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 1.3.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-x7su-wxws-a3gz Aliases: CVE-2018-1000883 GHSA-9h73-w7ch-rh73	Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in >= 1.3.5 or ~> 1.2.5 or ~> 1.1.9 or ~> 1.0.6.	1.0.6 Affected by 0 other vulnerabilities. 1.1.9 Affected by 0 other vulnerabilities. 1.2.5 Affected by 0 other vulnerabilities. 1.3.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7ryv-jjw4-b7gh
Aliases:
CVE-2017-1000053
GHSA-5v4m-c73v-c7gq

Arbitrary Code Execution in Cookie Serialization The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is signed and this attack can only be exploited if the attacker has access to your secret key as well as your signing/encryption salts. We recommend users to change their secret key base and salts if they suspect they have been leaked, regardless of this vulnerability.

1.0.4
Affected by 1 other vulnerability.

1.1.7
Affected by 1 other vulnerability.

1.2.3
Affected by 1 other vulnerability.

1.3.2
Affected by 1 other vulnerability.

VCID-dp5c-pz39-ckhp
Aliases:
CVE-2017-1000052
GHSA-2q6v-32mr-8p8x

Null Byte Injection in Plug.Static Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow users to bypass filetype restrictions. We recommend all applications that provide file upload functionality and serve those uploaded files locally with Plug.Static to upgrade immediately or include the fix below. If uploaded files are rather stored and served from S3 or any other cloud storage, you are not affected.

1.0.4
Affected by 1 other vulnerability.

1.1.7
Affected by 1 other vulnerability.

1.2.3
Affected by 1 other vulnerability.

1.3.2
Affected by 1 other vulnerability.

VCID-x7su-wxws-a3gz
Aliases:
CVE-2018-1000883
GHSA-9h73-w7ch-rh73

Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in >= 1.3.5 or ~> 1.2.5 or ~> 1.1.9 or ~> 1.0.6.

1.0.6
Affected by 0 other vulnerabilities.

1.1.9
Affected by 0 other vulnerabilities.

1.2.5
Affected by 0 other vulnerabilities.

1.3.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T18:00:30.961582+00:00	Elixir Security Importer	Affected by	VCID-x7su-wxws-a3gz	https://github.com/dependabot/elixir-security-advisories/blob/master/packages/plug/2017-04-17.yml	38.6.0
2026-06-05T18:00:30.083208+00:00	Elixir Security Importer	Affected by	VCID-dp5c-pz39-ckhp	https://github.com/dependabot/elixir-security-advisories/blob/master/packages/plug/2017-02-28.yml	38.6.0
2026-06-05T18:00:29.661829+00:00	Elixir Security Importer	Affected by	VCID-7ryv-jjw4-b7gh	https://github.com/dependabot/elixir-security-advisories/blob/master/packages/plug/2017-02-28_2.yml	38.6.0