Search criteria
64 vulnerabilities
CVE-2026-48592 (GCVE-0-2026-48592)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:46 – Updated: 2026-05-27 04:44
VLAI
Title
Missing authorization check on save-job event handler in oban_web
Summary
Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution.
The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.
This issue affects oban_web: from 2.12.0 before 2.12.5.
Severity
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/oban-bg/oban_web/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48592.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48592 | related |
| https://github.com/oban-bg/oban_web/commit/ab3c5d… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T20:46:44.585227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:46:50.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027"
],
"packageName": "oban_web",
"packageURL": "pkg:hex/oban_web",
"product": "oban_web",
"programFiles": [
"lib/oban/web/live/jobs/detail_component.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027:handle_event/3"
}
],
"vendor": "oban-bg",
"versions": [
{
"lessThan": "2.12.5",
"status": "affected",
"version": "2.12.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027"
],
"packageName": "oban-bg/oban_web",
"packageURL": "pkg:github/oban-bg/oban_web",
"product": "oban_web",
"programFiles": [
"lib/oban/web/live/jobs/detail_component.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027:handle_event/3"
}
],
"repo": "https://github.com/oban-bg/oban_web.git",
"vendor": "oban-bg",
"versions": [
{
"lessThan": "ab3c5d1d3eba06c62045f16f2cd7781c7752e248",
"status": "affected",
"version": "a17bc8c31286c9d516e2892cf5483d1c95e65d6c",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. \u003ctt\u003e:read_only\u003c/tt\u003e).\u003c/p\u003e"
}
],
"value": "The Oban.Web dashboard must be deployed and accessible to users with less than full job-management privileges (e.g. :read_only)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.12.5",
"versionStartIncluding": "2.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Parker Selbert"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in oban-bg oban_web (\u003ctt\u003e\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027\u003c/tt\u003e modules) allows unauthorized job worker substitution.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003ehandle_event(\"save-job\", ...)\u003c/tt\u003e handler in \u003ctt\u003e\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027\u003c/tt\u003e does not perform an authorization check, unlike the sibling \u003ctt\u003ecancel\u003c/tt\u003e, \u003ctt\u003edelete\u003c/tt\u003e, and \u003ctt\u003eretry\u003c/tt\u003e handlers which all verify the caller\u0027s privileges via \u003ctt\u003ecan?/2\u003c/tt\u003e. An authenticated user with \u003ctt\u003e:read_only\u003c/tt\u003e access can push a forged \u003ctt\u003esave-job\u003c/tt\u003e LiveView WebSocket event to overwrite a job\u0027s \u003ctt\u003eworker\u003c/tt\u003e field with any other existing \u003ctt\u003eOban.Worker\u003c/tt\u003e module in the application. On the job\u0027s next execution attempt, Oban will invoke \u003ctt\u003eperform/1\u003c/tt\u003e on the attacker-chosen module instead of the intended one.\u003c/p\u003e\u003cp\u003eThis issue affects oban_web: from 2.12.0 before 2.12.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in oban-bg oban_web (\u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027 modules) allows unauthorized job worker substitution.\n\nThe handle_event(\"save-job\", ...) handler in \u0027Elixir.Oban.Web.Jobs.DetailComponent\u0027 does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller\u0027s privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job\u0027s worker field with any other existing Oban.Worker module in the application. On the job\u0027s next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one.\n\nThis issue affects oban_web: from 2.12.0 before 2.12.5."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T04:44:55.904Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/oban-bg/oban_web/security/advisories/GHSA-389x-rgxr-8m33"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48592.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48592"
},
{
"tags": [
"patch"
],
"url": "https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing authorization check on save-job event handler in oban_web",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48592",
"datePublished": "2026-05-26T19:46:48.611Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-05-27T04:44:55.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48593 (GCVE-0-2026-48593)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:46 – Updated: 2026-05-27 04:44
VLAI
Title
Unbounded range expansion in cron describe causes memory exhaustion in oban_web
Summary
Uncontrolled Resource Consumption vulnerability in oban-bg oban_web ('Elixir.Oban.Web.CronExpr' modules) allows memory exhaustion via unbounded cron range expansion.
An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 * *". When a user with dashboard access views the cron job list, 'Elixir.Oban.Web.CronExpr':describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not.
This issue affects oban_web: from 2.12.0 before 2.12.5.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/oban-bg/oban_web/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48593.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48593 | related |
| https://github.com/oban-bg/oban_web/commit/9998b7… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T20:46:18.908875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:46:24.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Oban.Web.CronExpr\u0027"
],
"packageName": "oban_web",
"packageURL": "pkg:hex/oban_web",
"product": "oban_web",
"programFiles": [
"lib/oban/web/cron_expr.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:describe/1"
},
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:parse_range/1"
},
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:expand_dom_parts/1"
},
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:expand_dow_parts/1"
}
],
"vendor": "oban-bg",
"versions": [
{
"lessThan": "2.12.5",
"status": "affected",
"version": "2.12.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Oban.Web.CronExpr\u0027"
],
"packageName": "oban-bg/oban_web",
"packageURL": "pkg:github/oban-bg/oban_web",
"product": "oban_web",
"programFiles": [
"lib/oban/web/cron_expr.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:describe/1"
},
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:parse_range/1"
},
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:expand_dom_parts/1"
},
{
"name": "\u0027Elixir.Oban.Web.CronExpr\u0027:expand_dow_parts/1"
}
],
"repo": "https://github.com/oban-bg/oban_web.git",
"vendor": "oban-bg",
"versions": [
{
"lessThan": "9998b7e284e02fdd4645dd6231760038e63b584d",
"status": "affected",
"version": "a97c7960bb389b05aaab4cf8042985f02ceddc24",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerability is exploitable when an attacker with access to schedule cron jobs submits a malicious cron expression. The crash is triggered when a user with dashboard access views the cron job list, which calls \u003ctt\u003e\u0027Elixir.Oban.Web.CronExpr\u0027:describe/1\u003c/tt\u003e to render the expression.\u003c/p\u003e"
}
],
"value": "The vulnerability is exploitable when an attacker with access to schedule cron jobs submits a malicious cron expression. The crash is triggered when a user with dashboard access views the cron job list, which calls \u0027Elixir.Oban.Web.CronExpr\u0027:describe/1 to render the expression."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:oban_web_project:oban_web:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.12.5",
"versionStartIncluding": "2.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Shannon Selbert"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Resource Consumption vulnerability in oban-bg oban_web (\u003ctt\u003e\u0027Elixir.Oban.Web.CronExpr\u0027\u003c/tt\u003e modules) allows memory exhaustion via unbounded cron range expansion.\u003c/p\u003e\u003cp\u003eAn attacker with access to schedule cron jobs can submit a malicious cron expression such as \u003ctt\u003e\"0 0 1-100000000 * *\"\u003c/tt\u003e. When a user with dashboard access views the cron job list, \u003ctt\u003e\u0027Elixir.Oban.Web.CronExpr\u0027:describe/1\u003c/tt\u003e is called to render the expression. \u003ctt\u003eparse_range/1\u003c/tt\u003e parses both range endpoints via \u003ctt\u003eInteger.parse/1\u003c/tt\u003e with no bounds check, and the downstream helpers \u003ctt\u003eexpand_dom_parts/1\u003c/tt\u003e and \u003ctt\u003eexpand_dow_parts/1\u003c/tt\u003e materialise the range eagerly via \u003ctt\u003eEnum.to_list/1\u003c/tt\u003e, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper \u003ctt\u003eextract_dom_values\u003c/tt\u003e already validates range bounds, but the expansion helpers do not.\u003c/p\u003e\u003cp\u003eThis issue affects oban_web: from 2.12.0 before 2.12.5.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in oban-bg oban_web (\u0027Elixir.Oban.Web.CronExpr\u0027 modules) allows memory exhaustion via unbounded cron range expansion.\n\nAn attacker with access to schedule cron jobs can submit a malicious cron expression such as \"0 0 1-100000000 * *\". When a user with dashboard access views the cron job list, \u0027Elixir.Oban.Web.CronExpr\u0027:describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not.\n\nThis issue affects oban_web: from 2.12.0 before 2.12.5."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T04:44:37.981Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/oban-bg/oban_web/security/advisories/GHSA-6xh2-93p9-vqh4"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48593.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48593"
},
{
"tags": [
"patch"
],
"url": "https://github.com/oban-bg/oban_web/commit/9998b7e284e02fdd4645dd6231760038e63b584d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded range expansion in cron describe causes memory exhaustion in oban_web",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48593",
"datePublished": "2026-05-26T19:46:43.980Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-05-27T04:44:37.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47073 (GCVE-0-2026-47073)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
Unbounded memory consumption in WebSocket client in hackney
Summary
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \r\n\r\n causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound.
In all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required.
This issue affects hackney: from 2.0.0 before 4.0.1.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47073.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47073 | related |
| https://github.com/benoitc/hackney/commit/ce0109e… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47073",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:44:41.043069Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:44:44.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_ws"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_ws.erl"
],
"programRoutines": [
{
"name": "hackney_ws:read_handshake_response/3"
},
{
"name": "hackney_ws:parse_payload/9"
},
{
"name": "hackney_ws:parse_active_payload/8"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_ws"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_ws.erl"
],
"programRoutines": [
{
"name": "hackney_ws:read_handshake_response/3"
},
{
"name": "hackney_ws:parse_payload/9"
},
{
"name": "hackney_ws:parse_active_payload/8"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc",
"status": "affected",
"version": "690cecaf236fba49526da404a5bc889a24367a3e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding.\u003cp\u003eThe WebSocket client in \u003ctt\u003esrc/hackney_ws.erl\u003c/tt\u003e imposes no upper bound on memory consumption in three code paths. First, \u003ctt\u003eread_handshake_response/3\u003c/tt\u003e accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e causes the buffer to grow until memory is exhausted. Second, \u003ctt\u003eparse_payload/9\u003c/tt\u003e and \u003ctt\u003eparse_active_payload/8\u003c/tt\u003e do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2\u207b\u00b9\u2013\u00b9 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the \u003ctt\u003efrag_buffer\u003c/tt\u003e field in \u003ctt\u003e#ws_data{}\u003c/tt\u003e accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (\u003ctt\u003enofin\u003c/tt\u003e) fragmented frames without ever sending a final (\u003ctt\u003efin\u003c/tt\u003e) frame grows \u003ctt\u003efrag_buffer\u003c/tt\u003e without bound.\u003c/p\u003e\u003cp\u003eIn all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \\r\\n\\r\\n causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound.\n\nIn all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required.\n\nThis issue affects hackney: from 2.0.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:50.123Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47073.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47073"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded memory consumption in WebSocket client in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47073",
"datePublished": "2026-05-25T14:00:49.112Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-26T19:46:50.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47067 (GCVE-0-2026-47067)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
Atom table exhaustion via unrecognized URL schemes in hackney
Summary
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes — directly as request targets, as configured webhook URLs, or via Location headers followed during redirects — can exhaust the atom table and crash the entire BEAM VM with system_limit.
This issue affects hackney: from 2.0.0 before 4.0.1.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47067.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47067 | related |
| https://github.com/benoitc/hackney/commit/31f6f0e… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47067",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:45:32.232194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:45:36.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:parse_url/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:parse_url/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "31f6f0e27e096ad88743dfded4f030a3ee74972e",
"status": "affected",
"version": "d9713695c0d99855d12c73fd8a0b4be0543950c4",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding.\u003cp\u003eThe URL parser in \u003ctt\u003esrc/hackney_url.erl\u003c/tt\u003e converts every unrecognized URL scheme to a permanent BEAM atom via \u003ctt\u003ebinary_to_atom/2\u003c/tt\u003e. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes \u2014 directly as request targets, as configured webhook URLs, or via \u003ctt\u003eLocation\u003c/tt\u003e headers followed during redirects \u2014 can exhaust the atom table and crash the entire BEAM VM with \u003ctt\u003esystem_limit\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes \u2014 directly as request targets, as configured webhook URLs, or via Location headers followed during redirects \u2014 can exhaust the atom table and crash the entire BEAM VM with system_limit.\n\nThis issue affects hackney: from 2.0.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:49.558Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47067.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47067"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via unrecognized URL schemes in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47067",
"datePublished": "2026-05-25T14:00:48.507Z",
"dateReserved": "2026-05-18T17:28:08.321Z",
"dateUpdated": "2026-05-26T19:46:49.558Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47072 (GCVE-0-2026-47072)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
CRLF injection in WebSocket upgrade request in hackney
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.
This issue affects hackney: from 2.0.0 before 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47072.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47072 | related |
| https://github.com/benoitc/hackney/commit/52310ca… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47072",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:46:12.092004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:46:14.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_ws"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_ws.erl"
],
"programRoutines": [
{
"name": "hackney_ws:do_handshake/1"
},
{
"name": "hackney_ws:init/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_ws"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_ws.erl"
],
"programRoutines": [
{
"name": "hackney_ws:do_handshake/1"
},
{
"name": "hackney_ws:init/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "52310ca807e7b48441ba0e9129171f535313fdd1",
"status": "affected",
"version": "690cecaf236fba49526da404a5bc889a24367a3e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Request/Response Splitting.\u003cp\u003eThe WebSocket upgrade code in \u003ctt\u003esrc/hackney_ws.erl\u003c/tt\u003e copies the \u003ctt\u003ehost\u003c/tt\u003e, \u003ctt\u003epath\u003c/tt\u003e, \u003ctt\u003eheaders\u003c/tt\u003e (ExtraHeaders), and \u003ctt\u003eprotocols\u003c/tt\u003e options from the caller-supplied opts map into the internal \u003ctt\u003e#ws_data{}\u003c/tt\u003e record in \u003ctt\u003einit/1\u003c/tt\u003e and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in \u003ctt\u003edo_handshake/1\u003c/tt\u003e. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options \u2014 for example by forwarding URL components or header values from untrusted input into \u003ctt\u003ehackney_ws:start_link/1\u003c/tt\u003e \u2014 can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options \u2014 for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 \u2014 can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.\n\nThis issue affects hackney: from 2.0.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:48.965Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47072.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47072"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in WebSocket upgrade request in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47072",
"datePublished": "2026-05-25T14:00:47.852Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-26T19:46:48.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47076 (GCVE-0-2026-47076)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
SSRF allowlist bypass via percent-encoded host in hackney
Summary
Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.
This issue affects hackney: from 0.13.0 before 4.0.1.
Severity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47076.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47076 | related |
| https://github.com/benoitc/hackney/commit/452620a… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47076",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:46:49.956392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:46:52.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:normalize/2"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "0.13.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:normalize/2"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "452620a92ec1da2e6b4862a049a2a4f04b42068f",
"status": "affected",
"version": "4d725507588942fd00efca15b86da3273656510a",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "0.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ganbagana"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery.\u003cp\u003e\u003ctt\u003ehackney_url:normalize/2\u003c/tt\u003e URL-decodes the host component after the URL has been parsed into a \u003ctt\u003e#hackney_url{}\u003c/tt\u003e record. OTP\u0027s \u003ctt\u003euri_string:parse/1\u003c/tt\u003e and \u003ctt\u003einet:parse_address/1\u003c/tt\u003e do not decode percent-escapes in the host, so a URL such as \u003ctt\u003ehttp://%31%32%37%2E%30%2E%30%2E%31/\u003c/tt\u003e is seen by a caller\u0027s allowlist validator with host \u003ctt\u003e%31%32%37%2E%30%2E%30%2E%31\u003c/tt\u003e (not an IP address), which passes the allowlist check. hackney\u0027s normalizer then decodes the host to \u003ctt\u003e127.0.0.1\u003c/tt\u003e and opens a TCP connection to loopback. Because \u003ctt\u003ehackney:request/5\u003c/tt\u003e always calls \u003ctt\u003ehackney_url:normalize/2\u003c/tt\u003e with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0.13.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP\u0027s uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller\u0027s allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney\u0027s normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.\n\nThis issue affects hackney: from 0.13.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436 Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:47.538Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47076.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47076"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SSRF allowlist bypass via percent-encoded host in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47076",
"datePublished": "2026-05-25T14:00:46.707Z",
"dateReserved": "2026-05-18T17:28:10.319Z",
"dateUpdated": "2026-05-26T19:46:47.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47070 (GCVE-0-2026-47070)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney
Summary
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin.
The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely.
This issue affects hackney: from 3.1.1 before 4.0.1.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47070.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47070 | related |
| https://github.com/benoitc/hackney/commit/c58d5b5… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47070",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:47:18.083809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:47:21.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-h73q-4w9q-82h4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_h3"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_h3.erl"
],
"programRoutines": [
{
"name": "hackney_h3:handle_redirect/11"
},
{
"name": "hackney_h3:do_request_with_redirect/8"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "3.1.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_h3"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_h3.erl"
],
"programRoutines": [
{
"name": "hackney_h3:handle_redirect/11"
},
{
"name": "hackney_h3:do_request_with_redirect/8"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "c58d5b50bade146360b85caf3dc8065807b08246",
"status": "affected",
"version": "e61b7d04b7826847e1efe614106ef4d580c78eab",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "3.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe HTTP/3 redirect handler in \u003ctt\u003esrc/hackney_h3.erl\u003c/tt\u003e passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with \u003ctt\u003efollow_redirect\u003c/tt\u003e enabled and includes \u003ctt\u003eAuthorization\u003c/tt\u003e or \u003ctt\u003eCookie\u003c/tt\u003e headers, a server responding with a \u003ctt\u003e3xx\u003c/tt\u003e redirect to a different host will cause the client to forward those credentials verbatim to the new origin.\u003c/p\u003e\u003cp\u003eThe main \u003ctt\u003ehackney.erl\u003c/tt\u003e module has \u003ctt\u003emaybe_strip_auth_on_redirect/2\u003c/tt\u003e (guarded by the \u003ctt\u003elocation_trusted\u003c/tt\u003e option) to address CVE-2018-1000007, but \u003ctt\u003ehackney_h3.erl\u003c/tt\u003e is missing this protection entirely.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 3.1.1 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin.\n\nThe main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely.\n\nThis issue affects hackney: from 3.1.1 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:47.152Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-h73q-4w9q-82h4"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47070.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47070"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47070",
"datePublished": "2026-05-25T14:00:46.420Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-26T19:46:47.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47075 (GCVE-0-2026-47075)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
CR/LF injection in query parameter in hackney
Summary
Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request.
This issue affects hackney: from 0 before 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47075.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47075 | related |
| https://github.com/benoitc/hackney/commit/ca73dd0… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47075",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:50:04.477395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:50:09.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-j9wq-vxxc-94wf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:make_url/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_url"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_url.erl"
],
"programRoutines": [
{
"name": "hackney_url:make_url/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "ca73dd0aba0ed557449c18288bf07241671a43c9",
"status": "affected",
"version": "8bb1a359a81ae58567c84f8d24564e9742e6f2bd",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "tepel-chen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting.\u003cp\u003ehackney does not percent-encode carriage return (\u003ctt\u003e\\r\u003c/tt\u003e) or line feed (\u003ctt\u003e\\n\u003c/tt\u003e) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but \u003ctt\u003ehackney_url:make_url/3\u003c/tt\u003e passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\\r) or line feed (\\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request.\n\nThis issue affects hackney: from 0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:46.532Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-j9wq-vxxc-94wf"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47075.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47075"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CR/LF injection in query parameter in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47075",
"datePublished": "2026-05-25T14:00:45.781Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-26T19:46:46.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47077 (GCVE-0-2026-47077)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
Unbounded body accumulation in HTTP/3 response loop in hackney
Summary
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.
This issue affects hackney: from 2.0.0 before 4.0.1.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47077.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47077 | related |
| https://github.com/benoitc/hackney/commit/3d25f9f… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47077",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:47:51.427632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:47:54.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_h3"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_h3.erl"
],
"programRoutines": [
{
"name": "hackney_h3:await_response_loop/6"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_h3"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_h3.erl"
],
"programRoutines": [
{
"name": "hackney_h3:await_response_loop/6"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "3d25f9fea26c90609de9d64366fedfe5065413bc",
"status": "affected",
"version": "0334af206d5099fdf510ed9eda18e34396f065ad",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must use the HTTP/3 transport by calling \u003ctt\u003ehackney_h3\u003c/tt\u003e directly or by passing \u003ctt\u003e{transport, h3}\u003c/tt\u003e to \u003ctt\u003ehackney:request/5\u003c/tt\u003e. The default hackney transport (TCP/TLS) is not affected."
}
],
"value": "The application must use the HTTP/3 transport by calling hackney_h3 directly or by passing {transport, h3} to hackney:request/5. The default hackney transport (TCP/TLS) is not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding.\u003cp\u003e\u003ctt\u003ehackney_h3:await_response_loop/6\u003c/tt\u003e accumulates the HTTP/3 response body in memory without any size cap. The \u003ctt\u003eafter Timeout\u003c/tt\u003e clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame \u2014 it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every \u003ctt\u003eTimeout - 1\u003c/tt\u003e ms with \u003ctt\u003eFin = false\u003c/tt\u003e and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame \u2014 it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.\n\nThis issue affects hackney: from 2.0.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:43.179Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47077.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47077"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/3d25f9fea26c90609de9d64366fedfe5065413bc"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded body accumulation in HTTP/3 response loop in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47077",
"datePublished": "2026-05-25T14:00:42.217Z",
"dateReserved": "2026-05-18T17:28:10.319Z",
"dateUpdated": "2026-05-26T19:46:43.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47071 (GCVE-0-2026-47071)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
SOCKS5 TLS upgrade ignores caller timeout in hackney
Summary
Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller.
This issue affects hackney: from 0.10.0 before 4.0.1.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47071.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47071 | related |
| https://github.com/benoitc/hackney/commit/5ccdab7… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47071",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:48:41.704626Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:48:45.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_socks5"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_socks5.erl"
],
"programRoutines": [
{
"name": "hackney_socks5:connect/4"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "0.10.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_socks5"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_socks5.erl"
],
"programRoutines": [
{
"name": "hackney_socks5:connect/4"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "5ccdab725c561a6f03d05a51f2d0664f98236dae",
"status": "affected",
"version": "34cdbd1d20a282aacc286a89327465a3925b4c5d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "0.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding.\u003cp\u003eThe SOCKS5 transport in \u003ctt\u003esrc/hackney_socks5.erl\u003c/tt\u003e correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form \u003ctt\u003essl:connect/2\u003c/tt\u003e, which defaults to an infinite timeout. The \u003ctt\u003eTimeout\u003c/tt\u003e value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the \u003ctt\u003econnect_timeout\u003c/tt\u003e or \u003ctt\u003erecv_timeout\u003c/tt\u003e options supplied by the caller.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0.10.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller.\n\nThis issue affects hackney: from 0.10.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:41.765Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47071.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47071"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/5ccdab725c561a6f03d05a51f2d0664f98236dae"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SOCKS5 TLS upgrade ignores caller timeout in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47071",
"datePublished": "2026-05-25T14:00:41.112Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-26T19:46:41.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47066 (GCVE-0-2026-47066)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
Infinite loop in Alt-Svc header parser in hackney
Summary
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns.
The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to.
This issue affects hackney: from 2.0.0-beta.1 before 4.0.1.
Severity
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47066.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47066 | related |
| https://github.com/benoitc/hackney/commit/e548aba… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47066",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:50:47.725364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:50:51.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_altsvc"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_altsvc.erl"
],
"programRoutines": [
{
"name": "hackney_altsvc:parse_entries/2"
},
{
"name": "hackney_altsvc:parse_entry/1"
},
{
"name": "hackney_altsvc:parse_protocol/1"
},
{
"name": "hackney_altsvc:parse_token/2"
},
{
"name": "hackney_altsvc:skip_comma/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "2.0.0-beta.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_altsvc"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_altsvc.erl"
],
"programRoutines": [
{
"name": "hackney_altsvc:parse_entries/2"
},
{
"name": "hackney_altsvc:parse_entry/1"
},
{
"name": "hackney_altsvc:parse_protocol/1"
},
{
"name": "hackney_altsvc:parse_token/2"
},
{
"name": "hackney_altsvc:skip_comma/1"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "e548aba1f97ffa3f4750da7b772998fb78c01894",
"status": "affected",
"version": "408e5fe20302226ea8c74dde2bcbd452d712b5b2",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "2.0.0-beta.1",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in benoitc hackney allows Excessive Allocation.\u003cp\u003eThe Alt-Svc response header parser in \u003ctt\u003esrc/hackney_altsvc.erl\u003c/tt\u003e does not guarantee forward progress. When \u003ctt\u003eparse_token/2\u003c/tt\u003e receives a non-token, non-whitespace, non-comma byte (e.g. \u003ctt\u003e!\u003c/tt\u003e, \u003ctt\u003e@\u003c/tt\u003e, \u003ctt\u003e=\u003c/tt\u003e, \u003ctt\u003e;\u003c/tt\u003e), it returns the input unchanged. \u003ctt\u003eskip_comma/1\u003c/tt\u003e also returns the buffer unchanged when the first byte is not a comma. \u003ctt\u003eparse_entries/2\u003c/tt\u003e then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns.\u003c/p\u003e\u003cp\u003eThe entry point \u003ctt\u003eparse_and_cache/3\u003c/tt\u003e is called synchronously in the connection process on every HTTP response. A single-byte \u003ctt\u003eAlt-Svc: !\u003c/tt\u003e response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0-beta.1 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns.\n\nThe entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to.\n\nThis issue affects hackney: from 2.0.0-beta.1 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:40.305Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47066.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47066"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Infinite loop in Alt-Svc header parser in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47066",
"datePublished": "2026-05-25T14:00:39.707Z",
"dateReserved": "2026-05-18T17:28:08.321Z",
"dateUpdated": "2026-05-26T19:46:40.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47069 (GCVE-0-2026-47069)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-26 19:46
VLAI
Title
CRLF injection in cookie domain/path options in hackney
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.
This issue affects hackney: from 0.9.0 before 4.0.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/benoitc/hackney/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47069.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47069 | related |
| https://github.com/benoitc/hackney/commit/8e02b99… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47069",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:57:10.763778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:57:18.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_cookie"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_cookie.erl"
],
"programRoutines": [
{
"name": "hackney_cookie:setcookie/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_cookie"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_cookie.erl"
],
"programRoutines": [
{
"name": "hackney_cookie:setcookie/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540",
"status": "affected",
"version": "602d5c7f2ea4acbc83ed75230655d935a0750ebc",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Response Splitting.\u003cp\u003eThe \u003ctt\u003ehackney_cookie:setcookie/3\u003c/tt\u003e function in \u003ctt\u003esrc/hackney_cookie.erl\u003c/tt\u003e validates the \u003ctt\u003eName\u003c/tt\u003e and \u003ctt\u003eValue\u003c/tt\u003e arguments against CRLF and control characters, but concatenates the \u003ctt\u003edomain\u003c/tt\u003e and \u003ctt\u003epath\u003c/tt\u003e options verbatim into the output iolist with no equivalent check. An attacker who controls either option \u2014 for example by supplying a \u003ctt\u003eHost\u003c/tt\u003e header value forwarded as the cookie domain, or a request path forwarded as the cookie path \u2014 can inject a literal CRLF sequence and arbitrary additional \u003ctt\u003eSet-Cookie\u003c/tt\u003e headers into the HTTP response.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0.9.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option \u2014 for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path \u2014 can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.\n\nThis issue affects hackney: from 0.9.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-34",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-34 HTTP Response Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:39.859Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47069.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47069"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in cookie domain/path options in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47069",
"datePublished": "2026-05-25T14:00:39.394Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-26T19:46:39.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47068 (GCVE-0-2026-47068)
Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-22 04:38
VLAI
Title
Cross-session PubSub topic injection via URL parameter in phoenix_storybook
Summary
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.
'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process.
This issue affects phoenix_storybook from 0.4.0 before 1.1.0.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phenixdigital/phoenix_storyboo… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-47068.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-47068 | related |
| https://github.com/phenixdigital/phoenix_storyboo… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phenixdigital | phoenix_storybook |
Affected:
0.4.0 , < 1.1.0
(semver)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
|
| phenixdigital | phoenix_storybook |
Affected:
8c2c97b0f505780fee4069988bf86736f51d35d7 , < 6ee03f1c738d4436dde1b066cf65c80663d489f5
(git)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47068",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:59:23.206364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:59:48.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
],
"packageName": "phoenix_storybook",
"packageURL": "pkg:hex/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/live/story/component_iframe_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027"
],
"packageName": "phenixdigital/phoenix_storybook",
"packageURL": "pkg:github/phenixdigital/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/live/story/component_iframe_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "6ee03f1c738d4436dde1b066cf65c80663d489f5",
"status": "affected",
"version": "8c2c97b0f505780fee4069988bf86736f51d35d7",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Blavier"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3\u003c/tt\u003e in \u003ctt\u003elib/phoenix_storybook/live/story/component_iframe_live.ex\u003c/tt\u003e reads a PubSub topic directly from \u003ctt\u003eparams[\"topic\"]\u003c/tt\u003e and broadcasts \u003ctt\u003e{:component_iframe_pid, self()}\u003c/tt\u003e on it with no check that the topic belongs to the requesting session. The shared \u003ctt\u003ePhoenixStorybook.PubSub\u003c/tt\u003e is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via \u003ctt\u003esend/2\u003c/tt\u003e. Because the iframe trusts the query parameter, an attacker who loads \u003ctt\u003e/storybook/iframe/\u0026lt;story\u0026gt;?topic=\u0026lt;victim_topic\u0026gt;\u003c/tt\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.4.0 before 1.1.0.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter.\n\n\u0027Elixir.PhoenixStorybook.Story.ComponentIframeLive\u0027:handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params[\"topic\"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/\u003cstory\u003e?topic=\u003cvictim_topic\u003e causes their iframe process pid to be announced on the victim\u0027s topic. The victim\u0027s playground then addresses its private messages to the attacker\u0027s iframe process.\n\nThis issue affects phoenix_storybook from 0.4.0 before 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-12",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-12 Choosing Message Identifier"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T04:38:28.149Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47068.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47068"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-session PubSub topic injection via URL parameter in phoenix_storybook",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47068",
"datePublished": "2026-05-20T13:35:33.215Z",
"dateReserved": "2026-05-18T17:28:08.321Z",
"dateUpdated": "2026-05-22T04:38:28.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8467 (GCVE-0-2026-8467)
Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-22 04:38
VLAI
Title
Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
Summary
Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.
The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.
This issue affects phoenix_storybook from 0.5.0 before 1.1.0.
Severity
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phenixdigital/phoenix_storyboo… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-8467.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-8467 | related |
| https://github.com/phenixdigital/phoenix_storyboo… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phenixdigital | phoenix_storybook |
Affected:
0.5.0 , < 1.1.0
(semver)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
|
| phenixdigital | phoenix_storybook |
Affected:
e35379dfe2ef1a71b141899e36f431017c55265d , < 56ab8464d4375fa52db806148a06cce126ad481d
(git)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8467",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:57:52.803277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:58:36.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
"Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
"Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
],
"packageName": "phoenix_storybook",
"packageURL": "pkg:hex/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/rendering/component_renderer.ex",
"lib/phoenix_storybook/live/story/playground_preview_live.ex",
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.Rendering.ComponentRenderer",
"Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive",
"Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers"
],
"packageName": "phenixdigital/phoenix_storybook",
"packageURL": "pkg:github/phenixdigital/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/rendering/component_renderer.ex",
"lib/phoenix_storybook/live/story/playground_preview_live.ex",
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "56ab8464d4375fa52db806148a06cce126ad481d",
"status": "affected",
"version": "e35379dfe2ef1a71b141899e36f431017c55265d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nick Mykhailyshyn"
},
{
"lang": "en",
"type": "analyst",
"value": "Cenk K\u00fcc\u00fck"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Blavier"
},
{
"lang": "en",
"type": "coordinator",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCode Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003epsb-assign\u003c/tt\u003e WebSocket event handler in \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3\u003c/tt\u003e accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e, which stores them verbatim. When rendering, \u003ctt\u003e\u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1\u003c/tt\u003e interpolates binary attribute values directly into a HEEx template string as \u003ctt\u003ename=\"\u0026lt;val\u0026gt;\"\u003c/tt\u003e without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. \u003ctt\u003efoo\" injected={EXPR} bar=\"\u003c/tt\u003e), which causes \u003ctt\u003eEXPR\u003c/tt\u003e to be treated as an inline Elixir expression. The resulting template is compiled via \u003ctt\u003eEEx.compile_string/2\u003c/tt\u003e and executed via \u003ctt\u003eCode.eval_quoted_with_env/3\u003c/tt\u003e with full \u003ctt\u003eKernel\u003c/tt\u003e imports and no sandbox, giving the attacker arbitrary code execution on the server.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.5.0 before 1.1.0.\u003c/p\u003e"
}
],
"value": "Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation.\n\nThe psb-assign WebSocket event handler in \u0027Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive\u0027:handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to \u0027Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3, which stores them verbatim. When rendering, \u0027Elixir.PhoenixStorybook.Rendering.ComponentRenderer\u0027:attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=\"\u003cval\u003e\" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo\" injected={EXPR} bar=\"), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server.\n\nThis issue affects phoenix_storybook from 0.5.0 before 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T04:38:10.372Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8467.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8467"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8467",
"datePublished": "2026-05-20T13:35:29.018Z",
"dateReserved": "2026-05-13T11:44:40.790Z",
"dateUpdated": "2026-05-22T04:38:10.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8469 (GCVE-0-2026-8469)
Vulnerability from cvelistv5 – Published: 2026-05-20 13:35 – Updated: 2026-05-22 04:38
VLAI
Title
Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook
Summary
Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.
Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.
This issue affects phoenix_storybook from 0.2.0 before 1.1.0.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/phenixdigital/phoenix_storyboo… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-8469.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-8469 | related |
| https://github.com/phenixdigital/phoenix_storyboo… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phenixdigital | phoenix_storybook |
Affected:
0.2.0 , < 1.1.0
(semver)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
|
| phenixdigital | phoenix_storybook |
Affected:
0228669d55c23a754d1ef11f49a32121129d5395 , < 96d524690af0fe197a49f60d18e564a620b9ef81
(git)
cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8469",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:55:42.783019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:56:33.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.ExtraAssignsHelpers",
"Elixir.PhoenixStorybook.Story.Playground"
],
"packageName": "phoenix_storybook",
"packageURL": "pkg:hex/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
"lib/phx_live_storybook/live/entry_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.PhoenixStorybook.ExtraAssignsHelpers",
"Elixir.PhoenixStorybook.Story.Playground"
],
"packageName": "phenixdigital/phoenix_storybook",
"packageURL": "pkg:github/phenixdigital/phoenix_storybook",
"product": "phoenix_storybook",
"programFiles": [
"lib/phoenix_storybook/helpers/extra_assigns_helpers.ex",
"lib/phx_live_storybook/live/entry_live.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2"
},
{
"name": "\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4"
}
],
"repo": "https://github.com/phenixdigital/phoenix_storybook",
"vendor": "phenixdigital",
"versions": [
{
"lessThan": "96d524690af0fe197a49f60d18e564a620b9ef81",
"status": "affected",
"version": "0228669d55c23a754d1ef11f49a32121129d5395",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "Phoenix Storybook must be mounted on a network-reachable route."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phenixdigital:phoenix_storybook:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0.2.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Christian Blavier"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\u003c/p\u003e\u003cp\u003eMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using \u003ctt\u003eString.to_atom/1\u003c/tt\u003e without validation: \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3\u003c/tt\u003e interns every key of the \u003ctt\u003epsb-assign\u003c/tt\u003e params map; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3\u003c/tt\u003e interns the \u003ctt\u003e\"attr\"\u003c/tt\u003e value from \u003ctt\u003epsb-toggle\u003c/tt\u003e events; \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2\u003c/tt\u003e interns elements of \u003ctt\u003e\"variation_id\"\u003c/tt\u003e; and \u003ctt\u003e\u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4\u003c/tt\u003e interns raw string values for attributes declared as \u003ctt\u003e:atom\u003c/tt\u003e or \u003ctt\u003e:boolean\u003c/tt\u003e. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix_storybook from 0.2.0 before 1.1.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nMultiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_set_variation_assign/3 interns every key of the psb-assign params map; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:handle_toggle_variation_assign/3 interns the \"attr\" value from psb-toggle events; \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_variation_id/2 interns elements of \"variation_id\"; and \u0027Elixir.PhoenixStorybook.ExtraAssignsHelpers\u0027:to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it.\n\nThis issue affects phoenix_storybook from 0.2.0 before 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T04:38:05.472Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8469.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8469"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8469",
"datePublished": "2026-05-20T13:35:27.914Z",
"dateReserved": "2026-05-13T11:44:43.316Z",
"dateUpdated": "2026-05-22T04:38:05.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8468 (GCVE-0-2026-8468)
Vulnerability from cvelistv5 – Published: 2026-05-14 10:29 – Updated: 2026-05-15 04:33
VLAI
Title
Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
Summary
Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.
'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.
This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-plug | plug |
Affected:
1.4.0 , < 1.15.4
(semver)
Affected: 1.16.0 , < 1.16.3 (semver) Affected: 1.17.0 , < 1.17.1 (semver) Affected: 1.18.0 , < 1.18.2 (semver) Affected: 1.19.0 , < 1.19.2 (semver) cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:* |
|
| elixir-plug | plug |
Affected:
c52b2f32c90bccd718202bafccb5f95594e30183 , < *
(git)
cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T17:53:52.632415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T17:54:23.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Plug.Conn"
],
"packageName": "plug",
"packageURL": "pkg:hex/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "1.15.4",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
},
{
"lessThan": "1.16.3",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
},
{
"lessThan": "1.17.1",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
},
{
"lessThan": "1.18.2",
"status": "affected",
"version": "1.18.0",
"versionType": "semver"
},
{
"lessThan": "1.19.2",
"status": "affected",
"version": "1.19.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Plug.Conn"
],
"packageName": "elixir-plug/plug",
"packageURL": "pkg:github/elixir-plug/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn\u0027:read_part_headers/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"changes": [
{
"at": "2cb7958d33030aa826b0c7404375844d4593d43a",
"status": "unaffected"
},
{
"at": "aa69c5ece99c40ded88b8c6581ecc86664b0b734",
"status": "unaffected"
},
{
"at": "d5dfffe25e975585227b1b85d247b0d14164bc45",
"status": "unaffected"
},
{
"at": "df812a1527bae9e941965e897308a2b8bbf83a94",
"status": "unaffected"
},
{
"at": "33858427c7f2737d560a2e40a0c9a9270d77d1d7",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "c52b2f32c90bccd718202bafccb5f95594e30183",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must use \u003ctt\u003ePlug.Parsers\u003c/tt\u003e with the \u003ctt\u003e:multipart\u003c/tt\u003e parser, or otherwise call \u003ctt\u003ePlug.Conn.read_part_headers/2\u003c/tt\u003e to process \u003ctt\u003emultipart/form-data\u003c/tt\u003e request bodies. Deployments that do not handle multipart uploads are not affected.\u003c/p\u003e"
}
],
"value": "The application must use Plug.Parsers with the :multipart parser, or otherwise call Plug.Conn.read_part_headers/2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.4",
"versionStartIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.3",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.1",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.2",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.19.2",
"versionStartIncluding": "1.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.Plug.Conn\u0027:read_part_headers/2\u003c/tt\u003e in \u003ctt\u003elib/plug/conn.ex\u003c/tt\u003e does not obey its \u003ctt\u003e:length\u003c/tt\u003e parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function \u003ctt\u003eread_part_body\u003c/tt\u003e has an explicit \u003ctt\u003ebyte_size(acc) \u0026gt; length\u003c/tt\u003e guard that stops accumulation once a limit is reached. No such guard exists in \u003ctt\u003eread_part_headers\u003c/tt\u003e. An unauthenticated remote attacker can exhaust server memory by sending a crafted \u003ctt\u003emultipart/form-data\u003c/tt\u003e request, causing a denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\n\u0027Elixir.Plug.Conn\u0027:read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) \u003e length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.\n\nThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T04:33:16.325Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8468.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8468"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8466.html"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in plug",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8468",
"datePublished": "2026-05-14T10:29:51.062Z",
"dateReserved": "2026-05-13T11:44:42.164Z",
"dateUpdated": "2026-05-15T04:33:16.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43970 (GCVE-0-2026-43970)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:43 – Updated: 2026-05-15 04:33
VLAI
Title
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.
cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.
This issue affects cowlib from 0.1.0 before 2.16.1.
Severity
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43970.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43970 | related |
| https://github.com/ninenines/cowlib/commit/16aad3… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43970",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T12:38:59.086048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:39:10.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_spdy"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_spdy.erl"
],
"programRoutines": [
{
"name": "cow_spdy:parse/2"
},
{
"name": "cow_spdy:inflate/2"
},
{
"name": "cow_spdy:parse_headers/2"
},
{
"name": "cow_spdy:parse_headers/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_spdy"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_spdy.erl"
],
"programRoutines": [
{
"name": "cow_spdy:parse/2"
},
{
"name": "cow_spdy:inflate/2"
},
{
"name": "cow_spdy:parse_headers/2"
},
{
"name": "cow_spdy:parse_headers/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "16aad3fb9f81f5cda4d1706ff0c54237c619c282",
"status": "affected",
"version": "fad5c0049df278cc498b6cdb519b09e845a070a8",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must use \u003ctt\u003ecow_spdy:parse/2\u003c/tt\u003e to parse SPDY frames from an untrusted peer. cowboy itself does not use \u003ctt\u003ecow_spdy\u003c/tt\u003e; only direct callers of the \u003ctt\u003ecow_spdy\u003c/tt\u003e API are affected.\u003c/p\u003e"
}
],
"value": "The application must use cow_spdy:parse/2 to parse SPDY frames from an untrusted peer. cowboy itself does not use cow_spdy; only direct callers of the cow_spdy API are affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.16.1",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_spdy:inflate/2\u003c/tt\u003e in cowlib passes peer-supplied compressed bytes directly to \u003ctt\u003ezlib:inflate/2\u003c/tt\u003e with no output size bound. The SPDY header compression dictionary (\u003ctt\u003e?ZDICT\u003c/tt\u003e) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for \u003ctt\u003esyn_stream\u003c/tt\u003e, \u003ctt\u003esyn_reply\u003c/tt\u003e, and \u003ctt\u003eheaders\u003c/tt\u003e frame types are all affected via \u003ctt\u003ecow_spdy:parse_headers/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 0.1.0 before 2.16.1.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.\n\ncow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2.\n\nThis issue affects cowlib from 0.1.0 before 2.16.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T04:33:30.898Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43970.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43970"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpgrade to cowlib 2.16.1 or later, in which the \u003ctt\u003ecow_spdy\u003c/tt\u003e module has been removed entirely. No patched version of \u003ctt\u003ecow_spdy\u003c/tt\u003e will be provided. Migrate away from SPDY, which has been deprecated since 2015 in favour of HTTP/2.\u003c/p\u003e"
}
],
"value": "Upgrade to cowlib 2.16.1 or later, in which the cow_spdy module has been removed entirely. No patched version of cow_spdy will be provided. Migrate away from SPDY, which has been deprecated since 2015 in favour of HTTP/2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43970",
"datePublished": "2026-05-13T18:43:11.640Z",
"dateReserved": "2026-05-04T18:23:25.574Z",
"dateUpdated": "2026-05-15T04:33:30.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8466 (GCVE-0-2026-8466)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:26 – Updated: 2026-05-14 04:30
VLAI
Title
Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy
Summary
Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.
cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.
This issue affects cowboy from 2.0.0 before 2.15.0.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-8466.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-8466 | related |
| https://github.com/ninenines/cowboy/commit/5c6a20… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:46:37.406887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:52:29.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cowboy_req"
],
"packageName": "cowboy",
"packageURL": "pkg:hex/cowboy",
"product": "cowboy",
"programFiles": [
"src/cowboy_req.erl"
],
"programRoutines": [
{
"name": "cowboy_req:read_part/1"
},
{
"name": "cowboy_req:read_part/2"
},
{
"name": "cowboy_req:read_part/3"
}
],
"repo": "https://github.com/ninenines/cowboy",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.15.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cowboy_req"
],
"packageName": "ninenines/cowboy",
"packageURL": "pkg:github/ninenines/cowboy",
"product": "cowboy",
"programFiles": [
"src/cowboy_req.erl"
],
"programRoutines": [
{
"name": "cowboy_req:read_part/1"
},
{
"name": "cowboy_req:read_part/2"
},
{
"name": "cowboy_req:read_part/3"
}
],
"repo": "https://github.com/ninenines/cowboy",
"vendor": "ninenines",
"versions": [
{
"lessThan": "5c6a2061b41bb5771c4659fac7d5a822dca5bafb",
"status": "affected",
"version": "917cf99e10c41676183d501b86af6e47c95afb89",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must expose an HTTP endpoint that calls \u003ctt\u003ecowboy_req:read_part/1,2\u003c/tt\u003e to process \u003ctt\u003emultipart/form-data\u003c/tt\u003e request bodies. Deployments that do not handle multipart uploads are not affected.\u003c/p\u003e"
}
],
"value": "The application must expose an HTTP endpoint that calls cowboy_req:read_part/1,2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.15.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecowboy_req:read_part/3\u003c/tt\u003e in \u003ctt\u003esrc/cowboy_req.erl\u003c/tt\u003e accumulates incoming request bytes into a \u003ctt\u003eBuffer\u003c/tt\u003e binary with no upper-bound check. When \u003ctt\u003ecow_multipart:parse_headers/2\u003c/tt\u003e returns \u003ctt\u003emore\u003c/tt\u003e or \u003ctt\u003e{more, Buffer2}\u003c/tt\u003e, the function reads up to \u003ctt\u003eLength\u003c/tt\u003e bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the \u003ctt\u003ebyte_size(Acc) \u0026gt; Length\u003c/tt\u003e guard present in the sibling function \u003ctt\u003eread_part_body/4\u003c/tt\u003e. An unauthenticated attacker can send a \u003ctt\u003emultipart/form-data\u003c/tt\u003e request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\u003c/p\u003e\u003cp\u003eThis issue affects cowboy from 2.0.0 before 2.15.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) \u003e Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T04:30:32.552Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-8466.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-8466"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-8466",
"datePublished": "2026-05-13T18:26:21.089Z",
"dateReserved": "2026-05-13T11:44:39.149Z",
"dateUpdated": "2026-05-14T04:30:32.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39806 (GCVE-0-2026-39806)
Vulnerability from cvelistv5 – Published: 2026-05-13 13:36 – Updated: 2026-05-13 18:27
VLAI
Title
HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit
Summary
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.
'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.
A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.
This issue affects bandit: from 1.6.1 before 1.11.1.
Severity
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mtrudel/bandit/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-39806.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-39806 | related |
| https://github.com/mtrudel/bandit/commit/ae3520df… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39806",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:36:21.650529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:36:34.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.HTTP1.Socket\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/http1/socket.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.1",
"status": "affected",
"version": "1.6.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.HTTP1.Socket\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/http1/socket.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "ae3520dfdbfab115c638f8c7f6f6b805db34e1ab",
"status": "affected",
"version": "e73e379ab59840e8561b5730878f16e29ab06217",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.1",
"versionStartIncluding": "1.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mat Trudel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5\u003c/tt\u003e in \u003ctt\u003elib/bandit/http1/socket.ex\u003c/tt\u003e terminates only when the last-chunk line \u003ctt\u003e0\\r\\n\u003c/tt\u003e is followed immediately by the empty trailer line \u003ctt\u003e\\r\\n\u003c/tt\u003e. RFC 9112 \u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative \u003ctt\u003eto_read\u003c/tt\u003e, calls \u003ctt\u003eread_available!/2\u003c/tt\u003e, receives \u003ctt\u003e\u0026lt;\u0026lt;\u0026gt;\u0026gt;\u003c/tt\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\u003c/p\u003e\u003cp\u003eA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 1.6.1 before 1.11.1.\u003c/p\u003e"
}
],
"value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\n\n\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\\r\\n is followed immediately by the empty trailer line \\r\\n. RFC 9112 \u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives \u003c\u003c\u003e\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\n\nA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\n\nThis issue affects bandit: from 1.6.1 before 1.11.1."
}
],
"impacts": [
{
"capecId": "CAPEC-469",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-469 HTTP DoS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:27:37.964Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-39806.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39806"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-39806",
"datePublished": "2026-05-13T13:36:17.806Z",
"dateReserved": "2026-04-07T12:28:54.916Z",
"dateUpdated": "2026-05-13T18:27:37.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39803 (GCVE-0-2026-39803)
Vulnerability from cvelistv5 – Published: 2026-05-13 13:36 – Updated: 2026-05-13 18:27
VLAI
Title
HTTP/1 chunked body reader ignores length cap in bandit
Summary
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.
The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers' default 8 MB), do_read_chunked_data!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response.
Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer.
The content-length path in the same function correctly enforces the limit and is not affected.
This issue affects bandit: from 1.4.0 before 1.11.1.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mtrudel/bandit/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-39803.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-39803 | related |
| https://github.com/mtrudel/bandit/commit/ae3520df… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39803",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:41:58.440838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:43:25.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-9q9q-324x-93r2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.HTTP1.Socket\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/http1/socket.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:read_data/2"
},
{
"name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.1",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.HTTP1.Socket\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/http1/socket.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:read_data/2"
},
{
"name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "ae3520dfdbfab115c638f8c7f6f6b805db34e1ab",
"status": "affected",
"version": "903e209a521bc216b9f9065c01ae9a0cac2d5a10",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.1",
"versionStartIncluding": "1.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mat Trudel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\u003cp\u003eThe chunked clause of \u003ctt\u003e\u0027Elixir.Bandit.HTTP1.Socket\u0027:read_data/2\u003c/tt\u003e in \u003ctt\u003elib/bandit/http1/socket.ex\u003c/tt\u003e ignores the caller-supplied \u003ctt\u003e:length\u003c/tt\u003e option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. \u003ctt\u003ePlug.Parsers\u003c/tt\u003e\u0027 default 8 MB), \u003ctt\u003edo_read_chunked_data!/5\u003c/tt\u003e buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns \u003ctt\u003e{:ok, body, ...}\u003c/tt\u003e, so callers cannot interpose a 413 response.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003ePlug.Parsers\u003c/tt\u003e runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single \u003ctt\u003eTransfer-Encoding: chunked\u003c/tt\u003e POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer.\u003c/p\u003e\u003cp\u003eThe content-length path in the same function correctly enforces the limit and is not affected.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 1.4.0 before 1.11.1.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe chunked clause of \u0027Elixir.Bandit.HTTP1.Socket\u0027:read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers\u0027 default 8 MB), do_read_chunked_data!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response.\n\nBecause Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer.\n\nThe content-length path in the same function correctly enforces the limit and is not affected.\n\nThis issue affects bandit: from 1.4.0 before 1.11.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:27:30.095Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-9q9q-324x-93r2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-39803.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39803"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "HTTP/1 chunked body reader ignores length cap in bandit",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-39803",
"datePublished": "2026-05-13T13:36:09.648Z",
"dateReserved": "2026-04-07T12:28:54.916Z",
"dateUpdated": "2026-05-13T18:27:30.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32687 (GCVE-0-2026-32687)
Vulnerability from cvelistv5 – Published: 2026-05-12 14:18 – Updated: 2026-05-26 19:46
VLAI
Title
SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection.
The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and 'Elixir.Postgrex.Notifications':unlisten/3 is interpolated directly into LISTEN "..." / UNLISTEN "..." SQL statements without escaping the " character. An attacker who can influence the channel name can inject a " to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.
This vulnerability is associated with program file lib/postgrex/notifications.ex and program routines 'Elixir.Postgrex.Notifications':listen/3, 'Elixir.Postgrex.Notifications':unlisten/3, 'Elixir.Postgrex.Notifications':handle_connect/1.
This issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-ecto/ecto/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32687.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32687 | related |
| https://github.com/elixir-ecto/postgrex/commit/7c… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-ecto | postgrex |
Affected:
0.16.0 , < 0.22.2
(semver)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
|
| elixir-ecto | postgrex |
Affected:
266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 7cdedbd4316bb65f82e6a9a4f922c0ac491cb770
(git)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T19:44:22.093287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:44:35.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "postgrex",
"packageURL": "pkg:hex/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
}
],
"repo": "https://github.com/elixir-ecto/postgrex.git",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "0.22.2",
"status": "affected",
"version": "0.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "elixir-ecto/postgrex",
"packageURL": "pkg:github/elixir-ecto/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
}
],
"repo": "https://github.com/elixir-ecto/postgrex.git",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "7cdedbd4316bb65f82e6a9a4f922c0ac491cb770",
"status": "affected",
"version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must call \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e or \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e with a channel name derived from untrusted user input.\u003c/p\u003e"
}
],
"value": "The application must call \u0027Elixir.Postgrex.Notifications\u0027:listen/3 or \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 with a channel name derived from untrusted user input."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.22.2",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027\u003c/tt\u003e module) allows SQL Injection.\u003cp\u003eThe \u003ctt\u003echannel\u003c/tt\u003e argument passed to \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e and \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e is interpolated directly into \u003ctt\u003eLISTEN \"...\"\u003c/tt\u003e / \u003ctt\u003eUNLISTEN \"...\"\u003c/tt\u003e SQL statements without escaping the \u003ctt\u003e\"\u003c/tt\u003e character. An attacker who can influence the channel name can inject a \u003ctt\u003e\"\u003c/tt\u003e to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. \u003ctt\u003e; DROP TABLE ...; --\u003c/tt\u003e). The same unsanitized interpolation also occurs in \u003ctt\u003ehandle_connect/1\u003c/tt\u003e when replaying LISTEN commands after a reconnect.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/postgrex/notifications.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:listen/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:unlisten/3\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in elixir-ecto postgrex (\u0027Elixir.Postgrex.Notifications\u0027 module) allows SQL Injection.\n\nThe channel argument passed to \u0027Elixir.Postgrex.Notifications\u0027:listen/3 and \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3 is interpolated directly into LISTEN \"...\" / UNLISTEN \"...\" SQL statements without escaping the \" character. An attacker who can influence the channel name can inject a \" to break out of the quoted identifier and append arbitrary SQL. Because the notifications connection uses the PostgreSQL simple query protocol, multi-statement payloads are accepted, allowing DDL and DML commands to be chained (e.g. ; DROP TABLE ...; --). The same unsanitized interpolation also occurs in handle_connect/1 when replaying LISTEN commands after a reconnect.\n\nThis vulnerability is associated with program file lib/postgrex/notifications.ex and program routines \u0027Elixir.Postgrex.Notifications\u0027:listen/3, \u0027Elixir.Postgrex.Notifications\u0027:unlisten/3, \u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.2, from pkg:github/elixir-ecto/postgrex@266b530faf9bde094e31e0e4ab851f933fadc0f5 before 0.22.2."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:52.054Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-r73h-97w8-m54h"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32687.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32687"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-ecto/postgrex/commit/7cdedbd4316bb65f82e6a9a4f922c0ac491cb770"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32687",
"datePublished": "2026-05-12T14:18:07.607Z",
"dateReserved": "2026-03-13T09:12:14.475Z",
"dateUpdated": "2026-05-26T19:46:52.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43968 (GCVE-0-2026-43968)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-12 12:11
VLAI
Title
CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.
cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.
This issue affects cowlib from 2.6.0 before 2.16.1.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43968.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43968 | related |
| https://github.com/ninenines/cowlib/commit/6165fc… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43968",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:57:13.541982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:57:38.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_sse"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_sse.erl"
],
"programRoutines": [
{
"name": "cow_sse:event/1"
},
{
"name": "cow_sse:event_id/1"
},
{
"name": "cow_sse:event_name/1"
},
{
"name": "cow_sse:event_data/1"
},
{
"name": "cow_sse:event_comment/1"
},
{
"name": "cow_sse:prefix_lines/2"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "2.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_sse"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_sse.erl"
],
"programRoutines": [
{
"name": "cow_sse:event/1"
},
{
"name": "cow_sse:event_id/1"
},
{
"name": "cow_sse:event_name/1"
},
{
"name": "cow_sse:event_data/1"
},
{
"name": "cow_sse:event_comment/1"
},
{
"name": "cow_sse:prefix_lines/2"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "6165fc40efa159ba1cceee7e7981e790acba5d9c",
"status": "affected",
"version": "93b2b897cde238506c803faad4d1602d79dba7c9",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass user-controlled data as the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, or \u003ctt\u003ecomment\u003c/tt\u003e field to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e (or a higher-level wrapper such as \u003ctt\u003ecowboy_req:stream_events/3\u003c/tt\u003e). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
}
],
"value": "The application must pass user-controlled data as the id, event, data, or comment field to cow_sse:event/1 (or a higher-level wrapper such as cowboy_req:stream_events/3). Applications that construct SSE events exclusively from trusted, application-controlled values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.16.1",
"versionStartIncluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_sse:event/1\u003c/tt\u003e in cowlib guards the \u003ctt\u003eid\u003c/tt\u003e and \u003ctt\u003eevent\u003c/tt\u003e fields against \u003ctt\u003e\\n\u003c/tt\u003e but not against bare \u003ctt\u003e\\r\u003c/tt\u003e, and the internal \u003ctt\u003eprefix_lines/2\u003c/tt\u003e function used for \u003ctt\u003edata\u003c/tt\u003e and \u003ctt\u003ecomment\u003c/tt\u003e fields splits only on \u003ctt\u003e\\n\u003c/tt\u003e. Because the SSE specification requires decoders to treat \u003ctt\u003e\\r\\n\u003c/tt\u003e, \u003ctt\u003e\\r\u003c/tt\u003e, and \u003ctt\u003e\\n\u003c/tt\u003e as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser \u003ctt\u003eEventSource\u003c/tt\u003e clients or other SSE consumers dispatch on \u003ctt\u003eevent.type\u003c/tt\u003e and render \u003ctt\u003eevent.data\u003c/tt\u003e, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.6.0 before 2.16.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\n\ncow_sse:event/1 in cowlib guards the id and event fields against \\n but not against bare \\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\n. Because the SSE specification requires decoders to treat \\r\\n, \\r, and \\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\n\nThis issue affects cowlib from 2.6.0 before 2.16.1."
}
],
"impacts": [
{
"capecId": "CAPEC-34",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-34 HTTP Response Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:11:43.388Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43968.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43968"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSanitize user-controlled values before passing them to \u003ctt\u003ecow_sse:event/1\u003c/tt\u003e: reject or strip any value containing \u003ctt\u003e\\r\u003c/tt\u003e or \u003ctt\u003e\\n\u003c/tt\u003e characters in the \u003ctt\u003eid\u003c/tt\u003e, \u003ctt\u003eevent\u003c/tt\u003e, \u003ctt\u003edata\u003c/tt\u003e, and \u003ctt\u003ecomment\u003c/tt\u003e fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input.\u003c/p\u003e"
}
],
"value": "Sanitize user-controlled values before passing them to cow_sse:event/1: reject or strip any value containing \\r or \\n characters in the id, event, data, and comment fields. Alternatively, ensure that all SSE field values are derived exclusively from trusted, application-controlled data rather than user input."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43968",
"datePublished": "2026-05-11T18:06:42.881Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-12T12:11:43.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7790 (GCVE-0-2026-7790)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-26 19:46
VLAI
Title
Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
Summary
Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.
The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.
This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.
This issue affects cowlib: from 0.6.0 before 2.16.1.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-7790.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-7790 | related |
| https://github.com/ninenines/cowlib/commit/a4b803… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7790",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:56:19.590262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:56:31.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_http_te"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_http_te.erl"
],
"programRoutines": [
{
"name": "cow_http_te:stream_chunked/2"
},
{
"name": "cow_http_te:chunked_len/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "2.16.1",
"status": "affected",
"version": "0.6.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_http_te"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_http_te.erl"
],
"programRoutines": [
{
"name": "cow_http_te:stream_chunked/2"
},
{
"name": "cow_http_te:chunked_len/4"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"lessThan": "a4b8039ce8c93ab00867ef6b7e888822c09f4369",
"status": "affected",
"version": "8c0e428b012c59f553a264f285ed89d36f791e3e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.16.1",
"versionStartIncluding": "0.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lo\u00efc Hoguin"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\u003cp\u003eThe chunked transfer-encoding parser in \u003ctt\u003ecow_http_te\u003c/tt\u003e accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (\u003ctt\u003eLen * 16 + digit\u003c/tt\u003e), so parsing \u003ctt\u003eN\u003c/tt\u003e hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with \u003ctt\u003eTransfer-Encoding: chunked\u003c/tt\u003e and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003esrc/cow_http_te.erl\u003c/tt\u003e and program routines \u003ctt\u003ecow_http_te:stream_chunked/2\u003c/tt\u003e, \u003ctt\u003ecow_http_te:chunked_len/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib: from 0.6.0 before 2.16.1.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.\n\nThe chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N\u00b2) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N\u00b3). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification.\n\nThis vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4.\n\nThis issue affects cowlib: from 0.6.0 before 2.16.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:42.244Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-7790.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-7790"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ninenines/cowlib/commit/a4b8039ce8c93ab00867ef6b7e888822c09f4369"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Cowboy, setting \u003ctt\u003einitial_stream_flow_size\u003c/tt\u003e to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications.\u003c/p\u003e"
}
],
"value": "In Cowboy, setting initial_stream_flow_size to a much lower value limits the amount of chunked body data that cowlib will parse in a single read, reducing the window of data an attacker can use to trigger the quadratic work. This does not fully eliminate the vulnerability but can significantly reduce its impact for some applications."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-7790",
"datePublished": "2026-05-11T18:06:41.490Z",
"dateReserved": "2026-05-04T18:23:21.380Z",
"dateUpdated": "2026-05-26T19:46:42.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43969 (GCVE-0-2026-43969)
Vulnerability from cvelistv5 – Published: 2026-05-11 18:06 – Updated: 2026-05-12 04:26
VLAI
Title
Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.
cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.
This issue affects cowlib from 2.9.0.
Severity
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-43969.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-43969 | related |
| https://github.com/erlef/cowlib/commit/177953dd51… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:55:16.028478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:55:26.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_cookie"
],
"packageName": "cowlib",
"packageURL": "pkg:hex/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_cookie.erl"
],
"programRoutines": [
{
"name": "cow_cookie:cookie/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "2.9.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"cow_cookie"
],
"packageName": "ninenines/cowlib",
"packageURL": "pkg:github/ninenines/cowlib",
"product": "cowlib",
"programFiles": [
"src/cow_cookie.erl"
],
"programRoutines": [
{
"name": "cow_cookie:cookie/1"
}
],
"repo": "https://github.com/ninenines/cowlib",
"vendor": "ninenines",
"versions": [
{
"status": "affected",
"version": "f017f8a0ecbffd5033d9ab49bf180186f7a523a7",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass attacker-controlled bytes as cookie names or values to \u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e. Applications that construct cookie lists exclusively from trusted, application-controlled values are not affected.\u003c/p\u003e"
}
],
"value": "The application must pass attacker-controlled bytes as cookie names or values to cow_cookie:cookie/1. Applications that construct cookie lists exclusively from trusted, application-controlled values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ninenines:cowlib:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e in cowlib builds a client-side \u003ctt\u003eCookie:\u003c/tt\u003e request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject \u003ctt\u003e;\u003c/tt\u003e, \u003ctt\u003e,\u003c/tt\u003e, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \u003ctt\u003e; admin=1\u003c/tt\u003e to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (\u003ctt\u003eparse_cookie_name/1\u003c/tt\u003e, \u003ctt\u003eparse_cookie_value/1\u003c/tt\u003e) and \u003ctt\u003esetcookie/3\u003c/tt\u003e already validate and reject these characters; the encoder alone is missing the check.\u003c/p\u003e\u003cp\u003eThis issue affects cowlib from 2.9.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\n\ncow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \"; admin=1\" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.\n\nThis issue affects cowlib from 2.9.0."
}
],
"impacts": [
{
"capecId": "CAPEC-105",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-105 HTTP Request Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T04:26:34.206Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43969.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43969"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlef/cowlib/commit/177953dd51540da11090666c1f007214127a1144"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate inputs into \u003ctt\u003ecow_cookie:cookie/1\u003c/tt\u003e to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function.\u003c/p\u003e"
}
],
"value": "Validate inputs into cow_cookie:cookie/1 to only include valid cookie name and value characters as defined in RFC 6265 Section 4.1.1 before passing them to the function."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43969",
"datePublished": "2026-05-11T18:06:40.667Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-12T04:26:34.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42793 (GCVE-0-2026-42793)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 12:41
VLAI
Title
Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
Summary
Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed — for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-42793.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42793 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.5.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
d0eae7764520d4e8e5dfff619068c0de911aec33 , < dd842b938e3823f345c10416914ffab5d5536838
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:09:01.643983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:09:11.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Language.DirectiveDefinition\u0027",
"\u0027Elixir.Absinthe.Language.EnumTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.FieldDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InputValueDefinition\u0027",
"\u0027Elixir.Absinthe.Language.InterfaceTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ObjectTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.ScalarTypeDefinition\u0027",
"\u0027Elixir.Absinthe.Language.UnionTypeDefinition\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/language/directive_definition.ex",
"lib/absinthe/language/enum_type_definition.ex",
"lib/absinthe/language/field_definition.ex",
"lib/absinthe/language/input_object_type_definition.ex",
"lib/absinthe/language/input_value_definition.ex",
"lib/absinthe/language/interface_type_definition.ex",
"lib/absinthe/language/object_type_definition.ex",
"lib/absinthe/language/scalar_type_definition.ex",
"lib/absinthe/language/union_type_definition.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.DirectiveDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.EnumTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.FieldDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InputValueDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.InterfaceTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ObjectTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.ScalarTypeDefinition\u0027:convert/2"
},
{
"name": "\u0027Elixir.Absinthe.Blueprint.Draft.Absinthe.Language.UnionTypeDefinition\u0027:convert/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "dd842b938e3823f345c10416914ffab5d5536838",
"status": "affected",
"version": "d0eae7764520d4e8e5dfff619068c0de911aec33",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\u003cp\u003eMultiple \u003ctt\u003eBlueprint.Draft.convert/2\u003c/tt\u003e implementations in Absinthe\u0027s SDL language modules call \u003ctt\u003eString.to_atom/1\u003c/tt\u003e on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with \u003ctt\u003esystem_limit\u003c/tt\u003e and taking down the entire node.\u003c/p\u003e\u003cp\u003eAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.5.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.\n\nMultiple Blueprint.Draft.convert/2 implementations in Absinthe\u0027s SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.\n\nAny application that passes attacker-controlled GraphQL SDL through Absinthe\u0027s parser is exposed \u2014 for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.\n\nThis issue affects absinthe: from 1.5.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T12:41:41.873Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42793.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42793"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42793",
"datePublished": "2026-05-08T15:42:46.101Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-09T12:41:41.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42794 (GCVE-0-2026-42794)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-16 10:21
VLAI
Title
Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug
Summary
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.
'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.
This issue affects absinthe_plug: from 1.2.0 before 1.5.10.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe_plug… | vendor-advisory |
| https://cna.erlef.org/cves/CVE-2026-42794.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-42794 | related |
| https://github.com/absinthe-graphql/absinthe_plug… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe_plug |
Affected:
1.2.0 , < 1.5.10
(semver)
cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe_plug |
Affected:
26241817cb4b9be4de3f5972c5fba3d36de3d713 , < 23a0d5658d32420086711adf4ce8f05febb09963
(git)
cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42794",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:07:51.313563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:08:26.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
],
"packageName": "absinthe_plug",
"packageURL": "pkg:hex/absinthe_plug",
"product": "absinthe_plug",
"programFiles": [
"lib/absinthe/plug/graphiql.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe_plug",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.5.10",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Plug.GraphiQL\u0027"
],
"packageName": "absinthe-graphql/absinthe_plug",
"packageURL": "pkg:github/absinthe-graphql/absinthe_plug",
"product": "absinthe_plug",
"programFiles": [
"lib/absinthe/plug/graphiql.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe_plug",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "23a0d5658d32420086711adf4ce8f05febb09963",
"status": "affected",
"version": "26241817cb4b9be4de3f5972c5fba3d36de3d713",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The application must mount \u003ctt\u003eAbsinthe.Plug.GraphiQL\u003c/tt\u003e on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
}
],
"value": "The application must mount Absinthe.Plug.GraphiQL on a route that is reachable by untrusted users. The GraphiQL interface is a developer tool and is typically disabled or restricted in production deployments."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe_plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.10",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "40826d"
},
{
"lang": "en",
"type": "finder",
"value": "Bryan A. Enders"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Moreno"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ben Wilson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1\u003c/tt\u003e in \u003ctt\u003elib/absinthe/plug/graphiql.ex\u003c/tt\u003e escapes single quotes and newlines in the \u003ctt\u003equery\u003c/tt\u003e GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \u003ctt\u003e\\\u0027\u003c/tt\u003e), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe_plug: from 1.2.0 before 1.5.10.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.\n\n\u0027Elixir.Absinthe.Plug.GraphiQL\u0027:js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \\\u0027), breaking out of the string context and executing arbitrary JavaScript in the victim\u0027s browser.\n\nThis issue affects absinthe_plug: from 1.2.0 before 1.5.10."
}
],
"impacts": [
{
"capecId": "CAPEC-86",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-86 XSS Using HTTP Query Strings"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T10:21:31.067Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/absinthe-graphql/absinthe_plug/issues/275"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-42794.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-42794"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-42794",
"datePublished": "2026-05-08T15:42:40.706Z",
"dateReserved": "2026-04-29T18:06:33.251Z",
"dateUpdated": "2026-05-16T10:21:31.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43967 (GCVE-0-2026-43967)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18
VLAI
Title
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Summary
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Severity
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-43967.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-43967 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.2.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:07:01.053904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:07:10.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "223600c520493dcaf95080af552c413099f92c9d",
"status": "affected",
"version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:18:14.810Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43967",
"datePublished": "2026-05-08T15:42:34.347Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-09T04:18:14.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32686 (GCVE-0-2026-32686)
Vulnerability from cvelistv5 – Published: 2026-05-07 14:04 – Updated: 2026-05-26 19:46
VLAI
Title
Unbounded exponent in decimal enables unauthenticated DoS
Summary
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.
The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.
Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.
This issue affects decimal: from 0.1.0 before 3.0.0.
Severity
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ericmj/decimal/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32686.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32686 | related |
| https://github.com/ericmj/decimal/commit/6a523f3a… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32686",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T22:42:13.343081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:43:03.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"modules": [
"\u0027Elixir.Decimal\u0027"
],
"packageName": "decimal",
"packageURL": "pkg:hex/decimal",
"product": "decimal",
"programFiles": [
"lib/decimal.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Decimal\u0027:new/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:parse/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:cast/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:add/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:sub/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:div/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:to_string/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:to_integer/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:round/3"
},
{
"name": "\u0027Elixir.Decimal\u0027:compare/3"
}
],
"repo": "https://github.com/ericmj/decimal",
"vendor": "ericmj",
"versions": [
{
"lessThan": "3.0.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"modules": [
"\u0027Elixir.Decimal\u0027"
],
"packageName": "ericmj/decimal",
"packageURL": "pkg:github/ericmj/decimal",
"product": "decimal",
"programFiles": [
"lib/decimal.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Decimal\u0027:new/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:parse/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:cast/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:add/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:sub/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:div/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:to_string/2"
},
{
"name": "\u0027Elixir.Decimal\u0027:to_integer/1"
},
{
"name": "\u0027Elixir.Decimal\u0027:round/3"
},
{
"name": "\u0027Elixir.Decimal\u0027:compare/3"
}
],
"repo": "https://github.com/ericmj/decimal",
"vendor": "ericmj",
"versions": [
{
"lessThan": "6a523f3a73b8c9974540e21c7aa88f1258bb35ae",
"status": "affected",
"version": "bc11f4a2b6fb61fc1360a0ab4e79141bba918841",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ericmj:decimal:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.0.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Eric Meadows-J\u00f6nsson"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Wojtek Mach"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "ruslandoga"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Matthew Johnston"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.\u003cp\u003eThe \u003ctt\u003edecimal\u003c/tt\u003e library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. \u003ctt\u003eDecimal.new(\"1e1000000000\")\u003c/tt\u003e) is accepted without error. Subsequent calls to arithmetic functions (\u003ctt\u003eDecimal.add/2\u003c/tt\u003e, \u003ctt\u003eDecimal.sub/2\u003c/tt\u003e, \u003ctt\u003eDecimal.div/2\u003c/tt\u003e), \u003ctt\u003eDecimal.to_string/2\u003c/tt\u003e with \u003ctt\u003e:normal\u003c/tt\u003e or \u003ctt\u003e:xsd\u003c/tt\u003e format, \u003ctt\u003eDecimal.to_integer/1\u003c/tt\u003e, \u003ctt\u003eDecimal.round/3\u003c/tt\u003e, or \u003ctt\u003eDecimal.compare/3\u003c/tt\u003e with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.\u003c/p\u003e\u003cp\u003eAny application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.\u003c/p\u003e\u003cp\u003eThis issue affects decimal: from 0.1.0 before 3.0.0.\u003c/p\u003e"
}
],
"value": "Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.\n\nThe decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new(\"1e1000000000\")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM.\n\nAny application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash.\n\nThis issue affects decimal: from 0.1.0 before 3.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:46:40.926Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32686.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32686"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded exponent in decimal enables unauthenticated DoS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32686",
"datePublished": "2026-05-07T14:04:47.222Z",
"dateReserved": "2026-03-13T09:12:14.474Z",
"dateUpdated": "2026-05-26T19:46:40.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32689 (GCVE-0-2026-32689)
Vulnerability from cvelistv5 – Published: 2026-05-05 15:17 – Updated: 2026-05-07 04:25
VLAI
Title
Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix
Summary
Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling.
In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries — a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.
A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.
This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.
Severity
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/phoenixframework/phoenix/secur… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-32689.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-32689 | related |
| https://github.com/phoenixframework/phoenix/commi… | patch |
| https://github.com/phoenixframework/phoenix/commi… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phoenixframework | phoenix |
Affected:
1.7.0 , < 1.7.22
(semver)
Affected: 1.8.0 , < 1.8.6 (semver) cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:* |
|
| phoenixframework | phoenix |
Affected:
2674c6ea30634667f9b09966b90269393b445953 , < *
(git)
cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T18:37:12.444769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T15:25:17.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Phoenix.Transports.LongPoll\u0027"
],
"packageName": "phoenix",
"packageURL": "pkg:hex/phoenix",
"product": "phoenix",
"programFiles": [
"lib/phoenix/transports/long_poll.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Phoenix.Transports.LongPoll\u0027:publish/4"
}
],
"repo": "https://github.com/phoenixframework/phoenix",
"vendor": "phoenixframework",
"versions": [
{
"lessThan": "1.7.22",
"status": "affected",
"version": "1.7.0",
"versionType": "semver"
},
{
"lessThan": "1.8.6",
"status": "affected",
"version": "1.8.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Phoenix.Transports.LongPoll\u0027"
],
"packageName": "phoenixframework/phoenix",
"packageURL": "pkg:github/phoenixframework/phoenix",
"product": "phoenix",
"programFiles": [
"lib/phoenix/transports/long_poll.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Phoenix.Transports.LongPoll\u0027:publish/4"
}
],
"repo": "https://github.com/phoenixframework/phoenix",
"vendor": "phoenixframework",
"versions": [
{
"changes": [
{
"at": "1a67c61ff9ce0a7711662ac7354861917a7c80f7",
"status": "unaffected"
},
{
"at": "912ea181fd247c21dbcc49fb97d0053b947d81bf",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2674c6ea30634667f9b09966b90269393b445953",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A \u003ctt\u003ePhoenix.Socket\u003c/tt\u003e must be configured with the \u003ctt\u003elongpoll\u003c/tt\u003e option enabled. Phoenix LiveView applications enable the longpoll transport by default via the \u003ctt\u003e/live\u003c/tt\u003e socket."
}
],
"value": "A Phoenix.Socket must be configured with the longpoll option enabled. Phoenix LiveView applications enable the longpoll transport by default via the /live socket."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.7.22",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.8.6",
"versionStartIncluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport\u0027s NDJSON body handling.\u003cp\u003eIn \u003ctt\u003e\u0027Elixir.Phoenix.Transports.LongPoll\u0027:publish/4\u003c/tt\u003e, when a POST request is received with \u003ctt\u003eContent-Type: application/x-ndjson\u003c/tt\u003e, the request body is split on newline characters using \u003ctt\u003eString.split/2\u003c/tt\u003e with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries \u2014 a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by \u003ctt\u003eEnum.map\u003c/tt\u003e, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.\u003c/p\u003e\u003cp\u003eA session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching \u003ctt\u003eOrigin\u003c/tt\u003e header, making this attack effectively unauthenticated.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport\u0027s NDJSON body handling.\n\nIn \u0027Elixir.Phoenix.Transports.LongPoll\u0027:publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries \u2014 a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.\n\nA session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.\n\nThis issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T04:25:07.013Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-32689.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-32689"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Disable the longpoll transport on all \u003ctt\u003ePhoenix.Socket\u003c/tt\u003e declarations, including the LiveView \u003ctt\u003e/live\u003c/tt\u003e socket, by removing or setting \u003ctt\u003elongpoll: false\u003c/tt\u003e. Note that this prevents clients that cannot use WebSockets from connecting."
}
],
"value": "Disable the longpoll transport on all Phoenix.Socket declarations, including the LiveView /live socket, by removing or setting longpoll: false. Note that this prevents clients that cannot use WebSockets from connecting."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-32689",
"datePublished": "2026-05-05T15:17:30.664Z",
"dateReserved": "2026-03-13T09:12:14.475Z",
"dateUpdated": "2026-05-07T04:25:07.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39805 (GCVE-0-2026-39805)
Vulnerability from cvelistv5 – Published: 2026-05-01 20:34 – Updated: 2026-05-04 17:11
VLAI
Title
CL.CL HTTP request smuggling via duplicate Content-Length in bandit
Summary
Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.
'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error.
When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.
This issue affects bandit: before 1.11.0.
Severity
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mtrudel/bandit/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-39805.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-39805 | related |
| https://github.com/mtrudel/bandit/commit/f2ca636e… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39805",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-02T01:20:49.825555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T01:21:12.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.Headers\u0027"
],
"packageName": "bandit",
"packageURL": "pkg:hex/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/headers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.Headers\u0027:get_content_length/1"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "1.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Bandit.Headers\u0027"
],
"packageName": "mtrudel/bandit",
"packageURL": "pkg:github/mtrudel/bandit",
"product": "bandit",
"programFiles": [
"lib/bandit/headers.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Bandit.Headers\u0027:get_content_length/1"
}
],
"repo": "https://github.com/mtrudel/bandit",
"vendor": "mtrudel",
"versions": [
{
"lessThan": "f2ca636eb6df385219957e8934e9fc6efa1630d1",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mat Trudel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate \u003ctt\u003eContent-Length\u003c/tt\u003e headers.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.Headers\u0027:get_content_length/1\u003c/tt\u003e in \u003ctt\u003elib/bandit/headers.ex\u003c/tt\u003e uses \u003ctt\u003eList.keyfind/3\u003c/tt\u003e, which returns only the first matching header. When a request contains two \u003ctt\u003eContent-Length\u003c/tt\u003e headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 \u00a76.3 requires recipients to treat this as an unrecoverable framing error.\u003c/p\u003e\u003cp\u003eWhen Bandit sits behind a proxy that picks the last \u003ctt\u003eContent-Length\u003c/tt\u003e value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: before 1.11.0.\u003c/p\u003e"
}
],
"value": "Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers.\n\n\u0027Elixir.Bandit.Headers\u0027:get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 \u00a76.3 requires recipients to treat this as an unrecoverable framing error.\n\nWhen Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging.\n\nThis issue affects bandit: before 1.11.0."
}
],
"impacts": [
{
"capecId": "CAPEC-33",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-33 HTTP Request Smuggling"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:11:40.573Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-39805.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39805"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CL.CL HTTP request smuggling via duplicate Content-Length in bandit",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-39805",
"datePublished": "2026-05-01T20:34:29.400Z",
"dateReserved": "2026-04-07T12:28:54.916Z",
"dateUpdated": "2026-05-04T17:11:40.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}