Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
123 vulnerabilities
CVE-2026-56813 (GCVE-0-2026-56813)
Vulnerability from cvelistv5 – Published: 2026-07-10 12:51 – Updated: 2026-07-10 14:45
VLAI
EPSS
VEX
Title
Cookie attribute injection in Plug.Conn.Cookies.encode/2
Summary
Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.
The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes.
An application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a ';' to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through ';' is not prevented.
This issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-141 - Improper Neutralization of Parameter/Argument Delimiters
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-plug/plug/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-56813.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-56813 | related |
| https://github.com/elixir-plug/plug/commit/c65758… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-plug | plug |
Affected:
0.1.0 , < 1.16.6
(semver)
Affected: 1.17.0 , < 1.17.4 (semver) Affected: 1.18.0 , < 1.18.5 (semver) Affected: 1.19.0 , < 1.19.5 (semver) Affected: 1.20.0 , < 1.20.3 (semver) cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
|
| elixir-plug | plug |
Affected:
f26876aa67aaeb38e616638aa3efbcc2fe2906a5 , < *
(git)
cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:43:36.298825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:43:45.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Cookies\u0027",
"\u0027Elixir.Plug.Conn\u0027"
],
"packageName": "plug",
"packageURL": "pkg:hex/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/cookies.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Cookies\u0027:encode/2"
},
{
"name": "\u0027Elixir.Plug.Conn\u0027:put_resp_cookie/4"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "1.16.6",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
},
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
},
{
"lessThan": "1.18.5",
"status": "affected",
"version": "1.18.0",
"versionType": "semver"
},
{
"lessThan": "1.19.5",
"status": "affected",
"version": "1.19.0",
"versionType": "semver"
},
{
"lessThan": "1.20.3",
"status": "affected",
"version": "1.20.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Cookies\u0027",
"\u0027Elixir.Plug.Conn\u0027"
],
"packageName": "elixir-plug/plug",
"packageURL": "pkg:github/elixir-plug/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/cookies.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Cookies\u0027:encode/2"
},
{
"name": "\u0027Elixir.Plug.Conn\u0027:put_resp_cookie/4"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"changes": [
{
"at": "3f00dfad4e20ba88472e315c90a25742bf178f8e",
"status": "unaffected"
},
{
"at": "a6d1248659022749869963fd302687165ecf8c8b",
"status": "unaffected"
},
{
"at": "4167981747fe9ce75f374b94a28861ae950ea992",
"status": "unaffected"
},
{
"at": "149d9ed68fee0b4f77efd1e835ce5d785856697b",
"status": "unaffected"
},
{
"at": "eceb8315ce9a31ef784943a95a8624ebd1bc7e06",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "f26876aa67aaeb38e616638aa3efbcc2fe2906a5",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.6",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.4",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.5",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.19.5",
"versionStartIncluding": "1.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.20.3",
"versionStartIncluding": "1.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003ePlug.Conn.Cookies.encode/2\u003c/tt\u003e function in \u003ctt\u003elib/plug/conn/cookies.ex\u003c/tt\u003e builds the \u003ctt\u003eSet-Cookie\u003c/tt\u003e response header by interpolating the cookie value and its \u003ctt\u003epath\u003c/tt\u003e, \u003ctt\u003edomain\u003c/tt\u003e, \u003ctt\u003esame_site\u003c/tt\u003e, and \u003ctt\u003eextra\u003c/tt\u003e attributes directly into the header without neutralizing the \u003ctt\u003e;\u003c/tt\u003e delimiter that separates cookie attributes.\u003c/p\u003e\u003cp\u003eAn application that places attacker-controlled data into a cookie value or attribute (for example via \u003ctt\u003ePlug.Conn.put_resp_cookie/4\u003c/tt\u003e when reflecting a username or preference) lets an attacker inject a \u003ctt\u003e;\u003c/tt\u003e to append or override cookie attributes (such as \u003ctt\u003eDomain\u003c/tt\u003e and \u003ctt\u003ePath\u003c/tt\u003e scope, or dropping the \u003ctt\u003eSecure\u003c/tt\u003e and \u003ctt\u003eHttpOnly\u003c/tt\u003e flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by \u003ctt\u003ePlug.Conn\u003c/tt\u003e header validation, so HTTP response splitting is not possible, but attribute injection through \u003ctt\u003e;\u003c/tt\u003e is not prevented.\u003c/p\u003e\u003cp\u003eThis issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.\n\nThe Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the \u0027;\u0027 delimiter that separates cookie attributes.\n\nAn application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a \u0027;\u0027 to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through \u0027;\u0027 is not prevented.\n\nThis issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3."
}
],
"impacts": [
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-141",
"description": "CWE-141 Improper Neutralization of Parameter/Argument Delimiters",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:45:34.174Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-wpmj-jh88-rpgm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-56813.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-56813"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/c6575800b2c4e15af1904df87522ca8a23da020c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cookie attribute injection in Plug.Conn.Cookies.encode/2",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate or reject the \u003ctt\u003e;\u003c/tt\u003e delimiter in any untrusted data before passing it as a cookie value or attribute to \u003ctt\u003ePlug.Conn.put_resp_cookie/4\u003c/tt\u003e or \u003ctt\u003ePlug.Conn.Cookies.encode/2\u003c/tt\u003e. Carriage return, line feed, and null bytes are already rejected by \u003ctt\u003ePlug.Conn\u003c/tt\u003e header validation.\u003c/p\u003e"
}
],
"value": "Validate or reject the \u0027;\u0027 delimiter in any untrusted data before passing it as a cookie value or attribute to Plug.Conn.put_resp_cookie/4 or Plug.Conn.Cookies.encode/2. Carriage return, line feed, and null bytes are already rejected by Plug.Conn header validation."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-56813",
"datePublished": "2026-07-10T12:51:08.758Z",
"dateReserved": "2026-06-23T12:29:02.507Z",
"dateUpdated": "2026-07-10T14:45:34.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56814 (GCVE-0-2026-56814)
Vulnerability from cvelistv5 – Published: 2026-07-10 11:14 – Updated: 2026-07-10 14:41
VLAI
EPSS
VEX
Title
Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)
Summary
Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.
Because every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.
This vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4.
This issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
9 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-plug | plug |
Affected:
1.4.0 , < 1.16.6
(semver)
Affected: 1.17.0 , < 1.17.4 (semver) Affected: 1.18.0 , < 1.18.5 (semver) Affected: 1.19.0 , < 1.19.5 (semver) Affected: 1.20.0 , < 1.20.3 (semver) cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
|
| elixir-plug | plug |
Affected:
c52b2f32c90bccd718202bafccb5f95594e30183 , < *
(git)
cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T14:03:11.744626Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:03:28.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Parsers.MULTIPART\u0027"
],
"packageName": "plug",
"packageURL": "pkg:hex/plug",
"product": "plug",
"programFiles": [
"lib/plug/parsers/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart/2"
},
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_headers/5"
},
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_body/4"
},
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_file/4"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "1.16.6",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
},
{
"lessThan": "1.17.4",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
},
{
"lessThan": "1.18.5",
"status": "affected",
"version": "1.18.0",
"versionType": "semver"
},
{
"lessThan": "1.19.5",
"status": "affected",
"version": "1.19.0",
"versionType": "semver"
},
{
"lessThan": "1.20.3",
"status": "affected",
"version": "1.20.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Parsers.MULTIPART\u0027"
],
"packageName": "elixir-plug/plug",
"packageURL": "pkg:github/elixir-plug/plug",
"product": "plug",
"programFiles": [
"lib/plug/parsers/multipart.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart/2"
},
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_headers/5"
},
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_body/4"
},
{
"name": "\u0027Elixir.Plug.Parsers.MULTIPART\u0027:parse_multipart_file/4"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"changes": [
{
"at": "981597d3a4271ede64373c7a731702a42c500dd6",
"status": "unaffected"
},
{
"at": "56edca2ce35fe5589cd581644d8a4493fa5f484e",
"status": "unaffected"
},
{
"at": "0ee8afcc61466dc5f7a8f048d0632c899165b81f",
"status": "unaffected"
},
{
"at": "cae36053350e5215a4e0ca33cd130af9c5fc6364",
"status": "unaffected"
},
{
"at": "f7effaed811c00b5f5bf817936bfd9c5df27b7dc",
"status": "unaffected"
},
{
"at": "df97d3f17f808a9916a7700a701fb85314559d56",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "c52b2f32c90bccd718202bafccb5f95594e30183",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.6",
"versionStartIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.4",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.5",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.19.5",
"versionStartIncluding": "1.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.20.3",
"versionStartIncluding": "1.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003ctt\u003ePlug.Parsers.MULTIPART\u003c/tt\u003e, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its \u003ctt\u003e:length\u003c/tt\u003e budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the \u003ctt\u003e:length\u003c/tt\u003e limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.\u003c/p\u003e\u003cp\u003eBecause every part whose \u003ctt\u003eContent-Disposition\u003c/tt\u003e carries a non-empty \u003ctt\u003efilename\u003c/tt\u003e creates a fresh temporary file (via \u003ctt\u003ePlug.Upload\u003c/tt\u003e) and retains a \u003ctt\u003ePlug.Upload\u003c/tt\u003e struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured \u003ctt\u003e:length\u003c/tt\u003e limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using \u003ctt\u003ePlug.Parsers\u003c/tt\u003e with the \u003ctt\u003e:multipart\u003c/tt\u003e parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/parsers/multipart.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart/2\u003c/tt\u003e, \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_headers/5\u003c/tt\u003e, \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_body/4\u003c/tt\u003e, and \u003ctt\u003ePlug.Parsers.MULTIPART.parse_multipart_file/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.\u003c/p\u003e"
}
],
"value": "Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.\n\nBecause every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.\n\nThis vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4.\n\nThis issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T14:41:43.299Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-95qv-c9g9-rm63"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-56814.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-56814"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/981597d3a4271ede64373c7a731702a42c500dd6"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/56edca2ce35fe5589cd581644d8a4493fa5f484e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/0ee8afcc61466dc5f7a8f048d0632c899165b81f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/cae36053350e5215a4e0ca33cd130af9c5fc6364"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/f7effaed811c00b5f5bf817936bfd9c5df27b7dc"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/df97d3f17f808a9916a7700a701fb85314559d56"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-56814",
"datePublished": "2026-07-10T11:14:35.574Z",
"dateReserved": "2026-06-23T12:29:02.507Z",
"dateUpdated": "2026-07-10T14:41:43.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58225 (GCVE-0-2026-58225)
Vulnerability from cvelistv5 – Published: 2026-07-10 10:51 – Updated: 2026-07-10 12:50
VLAI
EPSS
VEX
Title
SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service
Summary
SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.
Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.
The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.
An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.
This issue affects postgrex: from 0.16.0 before 0.22.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-ecto/ecto/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-58225.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-58225 | related |
| https://github.com/elixir-ecto/postgrex/commit/79… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-ecto | postgrex |
Affected:
0.16.0 , < 0.22.3
(semver)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
|
| elixir-ecto | postgrex |
Affected:
266b530faf9bde094e31e0e4ab851f933fadc0f5 , < 795c6062f62c4394272ff4b89170688857b4f841
(git)
cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58225",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T11:47:10.671088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T11:47:16.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "postgrex",
"packageURL": "pkg:hex/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
}
],
"repo": "https://github.com/elixir-ecto/postgrex",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "0.22.3",
"status": "affected",
"version": "0.16.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Postgrex.Notifications\u0027"
],
"packageName": "elixir-ecto/postgrex",
"packageURL": "pkg:github/elixir-ecto/postgrex",
"product": "postgrex",
"programFiles": [
"lib/postgrex/notifications.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:handle_connect/1"
},
{
"name": "\u0027Elixir.Postgrex.Notifications\u0027:listen/3"
}
],
"repo": "https://github.com/elixir-ecto/postgrex",
"vendor": "elixir-ecto",
"versions": [
{
"lessThan": "795c6062f62c4394272ff4b89170688857b4f841",
"status": "affected",
"version": "266b530faf9bde094e31e0e4ab851f933fadc0f5",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-ecto:postgrex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.22.3",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a \u003ctt\u003eLISTEN\u003c/tt\u003e channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ePostgrex.Notifications\u003c/tt\u003e sanitizes channel names with \u003ctt\u003equote_channel/1\u003c/tt\u003e, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement \u003ctt\u003eLISTEN\u003c/tt\u003e and \u003ctt\u003eUNLISTEN\u003c/tt\u003e paths. On every (re)connect, however, \u003ctt\u003ehandle_connect/1\u003c/tt\u003e replays all registered channels at once by concatenating their \u003ctt\u003eLISTEN\u003c/tt\u003e statements and wrapping them in a dollar-quoted anonymous code block (\u003ctt\u003eDO $$BEGIN ... END$$\u003c/tt\u003e). \u003ctt\u003equote_channel/1\u003c/tt\u003e does not escape the \u003ctt\u003e$$\u003c/tt\u003e dollar-quote delimiter that opens and closes this block.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003elisten/3\u003c/tt\u003e guards only reject null bytes and names longer than 63 bytes, so a channel name containing \u003ctt\u003e$$\u003c/tt\u003e passes validation unchanged. Once such a name is embedded, its \u003ctt\u003e$$\u003c/tt\u003e prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because \u003ctt\u003ehandle_connect/1\u003c/tt\u003e runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\u003c/p\u003e\u003cp\u003eAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\u003c/p\u003e\u003cp\u003eThis issue affects postgrex: from 0.16.0 before 0.22.3.\u003c/p\u003e"
}
],
"value": "SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.\n\nPostgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.\n\nThe listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.\n\nAn application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.\n\nThis issue affects postgrex: from 0.16.0 before 0.22.3."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T12:50:40.297Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-ecto/ecto/security/advisories/GHSA-4mw9-4qgj-m97w"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-58225.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-58225"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-ecto/postgrex/commit/795c6062f62c4394272ff4b89170688857b4f841"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate channel names before passing untrusted input to \u003ctt\u003ePostgrex.Notifications.listen/3\u003c/tt\u003e. Reject any name that contains the dollar-quote delimiter (\u003ctt\u003e$$\u003c/tt\u003e), or restrict channel names to a safe character set such as alphanumeric characters and underscores.\u003c/p\u003e"
}
],
"value": "Validate channel names before passing untrusted input to Postgrex.Notifications.listen/3. Reject any name that contains the dollar-quote delimiter ($$), or restrict channel names to a safe character set such as alphanumeric characters and underscores."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-58225",
"datePublished": "2026-07-10T10:51:46.978Z",
"dateReserved": "2026-06-29T18:54:08.633Z",
"dateUpdated": "2026-07-10T12:50:40.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56812 (GCVE-0-2026-56812)
Vulnerability from cvelistv5 – Published: 2026-07-07 15:22 – Updated: 2026-07-07 16:11
VLAI
EPSS
VEX
Title
Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototype members in Presence.syncState/syncDiff
Summary
Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic.
This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff.
The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError.
The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution).
This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phoenixframework | phoenix |
Affected:
1.2.0-rc.0 , < 1.5.15
(semver)
Affected: 1.6.0-rc.0 , < 1.6.17 (semver) Affected: 1.7.0-rc.0 , < 1.7.24 (semver) Affected: 1.8.0-rc.0 , < 1.8.9 (semver) cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:* |
|
| phoenixframework | phoenix |
Affected:
2270aaf21bd02c6a6a1022820564efb605a97655 , < *
(git)
cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56812",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T16:11:03.353715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:11:10.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phoenixframework/phoenix/security/advisories/GHSA-63mc-hw7g-86rr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Presence"
],
"packageName": "phoenix",
"packageURL": "pkg:hex/phoenix",
"product": "phoenix",
"programFiles": [
"assets/js/phoenix/presence.js"
],
"programRoutines": [
{
"name": "Presence.syncState"
},
{
"name": "Presence.syncDiff"
}
],
"repo": "https://github.com/phoenixframework/phoenix",
"vendor": "phoenixframework",
"versions": [
{
"lessThan": "1.5.15",
"status": "affected",
"version": "1.2.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.6.17",
"status": "affected",
"version": "1.6.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.7.24",
"status": "affected",
"version": "1.7.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.8.9",
"status": "affected",
"version": "1.8.0-rc.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://registry.npmjs.org",
"cpes": [
"cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Presence"
],
"packageName": "phoenix",
"packageURL": "pkg:npm/phoenix",
"product": "phoenix",
"programFiles": [
"assets/js/phoenix/presence.js"
],
"programRoutines": [
{
"name": "Presence.syncState"
},
{
"name": "Presence.syncDiff"
}
],
"repo": "https://github.com/phoenixframework/phoenix",
"vendor": "phoenixframework",
"versions": [
{
"lessThan": "1.5.15",
"status": "affected",
"version": "1.2.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.6.17",
"status": "affected",
"version": "1.6.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.7.24",
"status": "affected",
"version": "1.7.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.8.9",
"status": "affected",
"version": "1.8.0-rc.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Presence"
],
"packageName": "phoenixframework/phoenix",
"packageURL": "pkg:github/phoenixframework/phoenix",
"product": "phoenix",
"programFiles": [
"assets/js/phoenix/presence.js"
],
"programRoutines": [
{
"name": "Presence.syncState"
},
{
"name": "Presence.syncDiff"
}
],
"repo": "https://github.com/phoenixframework/phoenix",
"vendor": "phoenixframework",
"versions": [
{
"changes": [
{
"at": "7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8",
"status": "unaffected"
},
{
"at": "89a1c4be161e436241e12b2378a719904b9bd96f",
"status": "unaffected"
},
{
"at": "b90b22521465ece00eb5a19d5aa2b9465b209c85",
"status": "unaffected"
},
{
"at": "beffc4da1e787e572121f68902c63daf4fe7d9c2",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "2270aaf21bd02c6a6a1022820564efb605a97655",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must use \u003ctt\u003ePhoenix.Presence\u003c/tt\u003e (or otherwise drive the Phoenix JavaScript presence client) and track presences under keys that are influenced by untrusted client input, for example a username or id chosen by the connecting user. Applications that derive presence keys exclusively from server-controlled, validated values are not affected.\u003c/p\u003e"
}
],
"value": "The application must use Phoenix.Presence (or otherwise drive the Phoenix JavaScript presence client) and track presences under keys that are influenced by untrusted client input, for example a username or id chosen by the connecting user. Applications that derive presence keys exclusively from server-controlled, validated values are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.15",
"versionStartIncluding": "1.2.0-rc.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.6.17",
"versionStartIncluding": "1.6.0-rc.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.7.24",
"versionStartIncluding": "1.7.0-rc.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.8.9",
"versionStartIncluding": "1.8.0-rc.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
},
{
"lang": "en",
"type": "analyst",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Steffen Deusch"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003eassets/js/phoenix/presence.js\u003c/tt\u003e and program routines \u003ctt\u003ePresence.syncState\u003c/tt\u003e and \u003ctt\u003ePresence.syncDiff\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (\u003ctt\u003estate[key]\u003c/tt\u003e) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an \u003ctt\u003eObject.prototype\u003c/tt\u003e member name (\u003ctt\u003e__proto__\u003c/tt\u003e, \u003ctt\u003econstructor\u003c/tt\u003e, \u003ctt\u003etoString\u003c/tt\u003e, \u003ctt\u003ehasOwnProperty\u003c/tt\u003e, and similar) makes that lookup return JavaScript\u0027s built-in \u003ctt\u003eObject.prototype\u003c/tt\u003e instead of \u003ctt\u003eundefined\u003c/tt\u003e. Because the prototype is truthy, the code treats it as an existing presence and reads \u003ctt\u003e.metas.map(...)\u003c/tt\u003e off it, which throws an uncaught \u003ctt\u003eTypeError\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThe exception propagates out of the presence message handler, so the local state is never updated and \u003ctt\u003eonSync()\u003c/tt\u003e never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both \u003ctt\u003esyncState\u003c/tt\u003e and \u003ctt\u003esyncDiff\u003c/tt\u003e use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of \u003ctt\u003eObject.prototype\u003c/tt\u003e (it is not prototype pollution).\u003c/p\u003e\u003cp\u003eThis issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.\u003c/p\u003e"
}
],
"value": "Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic.\n\nThis vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff.\n\nThe Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript\u0027s built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError.\n\nThe exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution).\n\nThis issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:11:22.228Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phoenixframework/phoenix/security/advisories/GHSA-63mc-hw7g-86rr"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-56812.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-56812"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/7f7b971c1ea0994e3fbd1c11ddb05e780bd38ad8"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/89a1c4be161e436241e12b2378a719904b9bd96f"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/b90b22521465ece00eb5a19d5aa2b9465b209c85"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/beffc4da1e787e572121f68902c63daf4fe7d9c2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototype members in Presence.syncState/syncDiff",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eReject or sanitize presence keys that collide with JavaScript \u003ctt\u003eObject.prototype\u003c/tt\u003e member names (for example \u003ctt\u003e__proto__\u003c/tt\u003e, \u003ctt\u003econstructor\u003c/tt\u003e, \u003ctt\u003eprototype\u003c/tt\u003e, \u003ctt\u003etoString\u003c/tt\u003e, \u003ctt\u003ehasOwnProperty\u003c/tt\u003e) before calling \u003ctt\u003ePhoenix.Presence.track\u003c/tt\u003e, or namespace every presence key with a fixed prefix so that no key can equal a prototype member name. Alternatively, derive presence keys from server-controlled, validated values instead of raw user input.\u003c/p\u003e"
}
],
"value": "Reject or sanitize presence keys that collide with JavaScript Object.prototype member names (for example __proto__, constructor, prototype, toString, hasOwnProperty) before calling Phoenix.Presence.track, or namespace every presence key with a fixed prefix so that no key can equal a prototype member name. Alternatively, derive presence keys from server-controlled, validated values instead of raw user input."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-56812",
"datePublished": "2026-07-07T15:22:46.933Z",
"dateReserved": "2026-06-23T12:29:02.507Z",
"dateUpdated": "2026-07-07T16:11:22.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56811 (GCVE-0-2026-56811)
Vulnerability from cvelistv5 – Published: 2026-07-07 15:09 – Updated: 2026-07-07 16:14
VLAI
EPSS
VEX
Title
Phoenix transports do not limit channel joins per connection, enabling process-exhaustion denial of service
Summary
Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll).
This vulnerability is associated with program files lib/phoenix/socket.ex and program routine 'Elixir.Phoenix.Socket':handle_in/4.
Phoenix transports do not limit the number of channels that a single transport process may join. Every phx_join message a client sends over one connection starts a persistent channel process, and the socket process accepts an unbounded number of them. A single unauthenticated client can therefore open one WebSocket or LongPoll connection and stream a large number of phx_join messages, spawning hundreds of thousands of channel processes over that one connection and eventually reaching the BEAM maximum process limit. Once the process table is exhausted the virtual machine can no longer start new processes, denying service to legitimate traffic across the whole node. Because the amplification happens inside a single connection, network-layer connection caps and rate limiting do not mitigate it.
The fix adds a :max_channels_per_transport option (default 100) that bounds the number of channels a single transport process can join, forcing abusive clients to open many connections instead, where external load balancers and reverse proxies can throttle them.
This issue affects phoenix: from 0.11.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| phoenixframework | phoenix |
Affected:
0.11.0 , < 1.5.15
(semver)
Affected: 1.6.0-rc.0 , < 1.6.17 (semver) Affected: 1.7.0-rc.0 , < 1.7.24 (semver) Affected: 1.8.0-rc.0 , < 1.8.9 (semver) cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:* |
|
| phoenixframework | phoenix |
Affected:
14a297e88023cb280a577962a49a0bbdeef9f4eb , < *
(git)
cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T16:12:27.662417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:12:37.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Phoenix.Socket\u0027"
],
"packageName": "phoenix",
"packageURL": "pkg:hex/phoenix",
"product": "phoenix",
"programFiles": [
"lib/phoenix/socket.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Phoenix.Socket\u0027:handle_in/4"
}
],
"repo": "https://github.com/phoenixframework/phoenix",
"vendor": "phoenixframework",
"versions": [
{
"lessThan": "1.5.15",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
},
{
"lessThan": "1.6.17",
"status": "affected",
"version": "1.6.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.7.24",
"status": "affected",
"version": "1.7.0-rc.0",
"versionType": "semver"
},
{
"lessThan": "1.8.9",
"status": "affected",
"version": "1.8.0-rc.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Phoenix.Socket\u0027"
],
"packageName": "phoenixframework/phoenix",
"packageURL": "pkg:github/phoenixframework/phoenix",
"product": "phoenix",
"programFiles": [
"lib/phoenix/socket.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Phoenix.Socket\u0027:handle_in/4"
}
],
"repo": "https://github.com/phoenixframework/phoenix",
"vendor": "phoenixframework",
"versions": [
{
"changes": [
{
"at": "c498ba8cf49f6accbbd0c643a5340b58db891218",
"status": "unaffected"
},
{
"at": "d19ca0a8d9f82c130b7ed339b9f033433e2dea5e",
"status": "unaffected"
},
{
"at": "a612100cd8a4279091abc1a2ef8fb98a6d01c0a1",
"status": "unaffected"
},
{
"at": "16e295d2fccab185d1292322e2bee5d46c725c8a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "14a297e88023cb280a577962a49a0bbdeef9f4eb",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must mount a Phoenix socket that defines channels and expose it over HTTP so that a client can reach a channel transport (WebSocket or LongPoll) and send \u003ctt\u003ephx_join\u003c/tt\u003e messages. The WebSocket transport is enabled by default on a mounted socket, while the LongPoll transport is opt-in. Applications that do not mount a socket with channels are not affected.\u003c/p\u003e"
}
],
"value": "The application must mount a Phoenix socket that defines channels and expose it over HTTP so that a client can reach a channel transport (WebSocket or LongPoll) and send phx_join messages. The WebSocket transport is enabled by default on a mounted socket, while the LongPoll transport is opt-in. Applications that do not mount a socket with channels are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.15",
"versionStartIncluding": "0.11.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.6.17",
"versionStartIncluding": "1.6.0-rc.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.7.24",
"versionStartIncluding": "1.7.0-rc.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.8.9",
"versionStartIncluding": "1.8.0-rc.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Steffen Deusch"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
},
{
"lang": "en",
"type": "analyst",
"value": "Jos\u00e9 Valim"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (\u003ctt\u003ePhoenix.Socket\u003c/tt\u003e module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll).\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/phoenix/socket.ex\u003c/tt\u003e and program routine \u003ctt\u003e\u0027Elixir.Phoenix.Socket\u0027:handle_in/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003ePhoenix transports do not limit the number of channels that a single transport process may join. Every \u003ctt\u003ephx_join\u003c/tt\u003e message a client sends over one connection starts a persistent channel process, and the socket process accepts an unbounded number of them. A single unauthenticated client can therefore open one WebSocket or LongPoll connection and stream a large number of \u003ctt\u003ephx_join\u003c/tt\u003e messages, spawning hundreds of thousands of channel processes over that one connection and eventually reaching the BEAM maximum process limit. Once the process table is exhausted the virtual machine can no longer start new processes, denying service to legitimate traffic across the whole node. Because the amplification happens inside a single connection, network-layer connection caps and rate limiting do not mitigate it.\u003c/p\u003e\u003cp\u003eThe fix adds a \u003ctt\u003e:max_channels_per_transport\u003c/tt\u003e option (default \u003ctt\u003e100\u003c/tt\u003e) that bounds the number of channels a single transport process can join, forcing abusive clients to open many connections instead, where external load balancers and reverse proxies can throttle them.\u003c/p\u003e\u003cp\u003eThis issue affects phoenix: from 0.11.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix (Phoenix.Socket module) allows an unauthenticated attacker to cause a denial of service against any endpoint that mounts a Phoenix socket with a reachable channel transport (WebSocket or LongPoll).\n\nThis vulnerability is associated with program files lib/phoenix/socket.ex and program routine \u0027Elixir.Phoenix.Socket\u0027:handle_in/4.\n\nPhoenix transports do not limit the number of channels that a single transport process may join. Every phx_join message a client sends over one connection starts a persistent channel process, and the socket process accepts an unbounded number of them. A single unauthenticated client can therefore open one WebSocket or LongPoll connection and stream a large number of phx_join messages, spawning hundreds of thousands of channel processes over that one connection and eventually reaching the BEAM maximum process limit. Once the process table is exhausted the virtual machine can no longer start new processes, denying service to legitimate traffic across the whole node. Because the amplification happens inside a single connection, network-layer connection caps and rate limiting do not mitigate it.\n\nThe fix adds a :max_channels_per_transport option (default 100) that bounds the number of channels a single transport process can join, forcing abusive clients to open many connections instead, where external load balancers and reverse proxies can throttle them.\n\nThis issue affects phoenix: from 0.11.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T16:14:39.702Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/phoenixframework/phoenix/security/advisories/GHSA-6983-jfq8-485w"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-56811.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-56811"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/c498ba8cf49f6accbbd0c643a5340b58db891218"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/d19ca0a8d9f82c130b7ed339b9f033433e2dea5e"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/a612100cd8a4279091abc1a2ef8fb98a6d01c0a1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/phoenixframework/phoenix/commit/16e295d2fccab185d1292322e2bee5d46c725c8a"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Phoenix transports do not limit channel joins per connection, enabling process-exhaustion denial of service",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFront the socket endpoint with a reverse proxy that limits the number and rate of channel-join frames per connection, or disable transports that are not needed (for example remove \u003ctt\u003elongpoll: true\u003c/tt\u003e from the \u003ctt\u003esocket\u003c/tt\u003e declaration where the LongPoll transport is not required). Lowering the BEAM \u003ctt\u003e+P\u003c/tt\u003e maximum process limit does not prevent the exhaustion and can make it easier to trigger.\u003c/p\u003e"
}
],
"value": "Front the socket endpoint with a reverse proxy that limits the number and rate of channel-join frames per connection, or disable transports that are not needed (for example remove longpoll: true from the socket declaration where the LongPoll transport is not required). Lowering the BEAM +P maximum process limit does not prevent the exhaustion and can make it easier to trigger."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-56811",
"datePublished": "2026-07-07T15:09:57.581Z",
"dateReserved": "2026-06-23T12:29:02.507Z",
"dateUpdated": "2026-07-07T16:14:39.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54893 (GCVE-0-2026-54893)
Vulnerability from cvelistv5 – Published: 2026-07-06 14:04 – Updated: 2026-07-07 04:32
VLAI
EPSS
VEX
Title
Email-derived URL path injection in the Swoosh Microsoft Graph adapter
Summary
URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.
In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected.
This issue affects swoosh from 1.12.0 before 1.26.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/swoosh/swoosh/security/advisor… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54893.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54893 | related |
| https://github.com/swoosh/swoosh/commit/e38235453… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T15:36:04.140981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T15:36:16.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Swoosh.Adapters.MsGraph\u0027"
],
"packageName": "swoosh",
"packageURL": "pkg:hex/swoosh",
"product": "swoosh",
"programFiles": [
"lib/swoosh/adapters/ms_graph.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:deliver/2"
},
{
"name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:api_endpoint_url/2"
}
],
"repo": "https://github.com/swoosh/swoosh",
"vendor": "swoosh",
"versions": [
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.12.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Swoosh.Adapters.MsGraph\u0027"
],
"packageName": "swoosh/swoosh",
"packageURL": "pkg:github/swoosh/swoosh",
"product": "swoosh",
"programFiles": [
"lib/swoosh/adapters/ms_graph.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:deliver/2"
},
{
"name": "\u0027Elixir.Swoosh.Adapters.MsGraph\u0027:api_endpoint_url/2"
}
],
"repo": "https://github.com/swoosh/swoosh",
"vendor": "swoosh",
"versions": [
{
"lessThan": "e38235453e81d1727bfc8d91e69ec4cb211ccf61",
"status": "affected",
"version": "23bfcdab71aee4613858ba6d116bb3311b72aa58",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis vulnerability only affects applications that use \u003ctt\u003eSwoosh.Adapters.MsGraph\u003c/tt\u003e and derive the email \u003ctt\u003efrom\u003c/tt\u003e address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature). Applications that always send with a fixed, trusted \u003ctt\u003efrom\u003c/tt\u003e address are not affected.\u003c/p\u003e"
}
],
"value": "This vulnerability only affects applications that use Swoosh.Adapters.MsGraph and derive the email \"from\" address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature). Applications that always send with a fixed, trusted \"from\" address are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:swoosh:swoosh:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.26.3",
"versionStartIncluding": "1.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Po Chen"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eURL path injection in the Microsoft Graph adapter of Swoosh. \u003ctt\u003eSwoosh.Adapters.MsGraph\u003c/tt\u003e builds its Microsoft Graph API request URL by interpolating the sender\u0027s email address into the URL path (\u003ctt\u003e/users/{from}/sendMail\u003c/tt\u003e) without percent-encoding or validation.\u003c/p\u003e\u003cp\u003eIn applications that derive the \u003ctt\u003efrom\u003c/tt\u003e address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature), an attacker can place URL-special characters such as \u003ctt\u003e/\u003c/tt\u003e, \u003ctt\u003e?\u003c/tt\u003e, or \u003ctt\u003e#\u003c/tt\u003e in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated \u003ctt\u003ePOST\u003c/tt\u003e is sent with the application\u0027s Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token\u0027s scopes and control the request\u0027s query string. Applications that always use a fixed, trusted \u003ctt\u003efrom\u003c/tt\u003e address are not affected.\u003c/p\u003e\u003cp\u003eThis issue affects swoosh from 1.12.0 before 1.26.3.\u003c/p\u003e"
}
],
"value": "URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender\u0027s email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.\n\nIn applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a \"send as\" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application\u0027s Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token\u0027s scopes and control the request\u0027s query string. Applications that always use a fixed, trusted from address are not affected.\n\nThis issue affects swoosh from 1.12.0 before 1.26.3."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T04:32:26.465Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/swoosh/swoosh/security/advisories/GHSA-754j-98wh-57rf"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54893.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54893"
},
{
"tags": [
"patch"
],
"url": "https://github.com/swoosh/swoosh/commit/e38235453e81d1727bfc8d91e69ec4cb211ccf61"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Email-derived URL path injection in the Swoosh Microsoft Graph adapter",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eValidate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular \u003ctt\u003e/\u003c/tt\u003e, \u003ctt\u003e?\u003c/tt\u003e, \u003ctt\u003e#\u003c/tt\u003e, and \u003ctt\u003e..\u003c/tt\u003e) before passing the email to the adapter. Alternatively, set a static \u003ctt\u003e:url\u003c/tt\u003e in the adapter configuration, which bypasses interpolation of the \u003ctt\u003efrom\u003c/tt\u003e address into the request path.\u003c/p\u003e"
}
],
"value": "Validate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular /, ?, #, and ..) before passing the email to the adapter. Alternatively, set a static :url in the adapter configuration, which bypasses interpolation of the from address into the request path."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54893",
"datePublished": "2026-07-06T14:04:16.486Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-07-07T04:32:26.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56810 (GCVE-0-2026-56810)
Vulnerability from cvelistv5 – Published: 2026-07-06 09:17 – Updated: 2026-07-07 04:32
VLAI
EPSS
VEX
Title
mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response.
This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2.
When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition.
This issue affects mint: from 0.5.0 before 1.9.1.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-mint/mint/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-56810.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-56810 | related |
| https://github.com/elixir-mint/mint/commit/193ce7… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-mint | mint |
Affected:
0.5.0 , < 1.9.1
(semver)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
|
| elixir-mint | mint |
Affected:
c575d819d39ebf7e9b77ec24584a5ffbb11c844e , < 193ce714907d16e8adc4ab3c40e4f0c2f045b2a6
(git)
cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56810",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T15:52:57.089606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T15:53:00.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-c59h-fq4p-r36r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1\u0027"
],
"packageName": "mint",
"packageURL": "pkg:hex/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1\u0027:decode_body/5"
},
{
"name": "\u0027Elixir.Mint.HTTP1\u0027:add_body_to_buffer/2"
}
],
"repo": "https://github.com/elixir-mint/mint",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1.9.1",
"status": "affected",
"version": "0.5.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Mint.HTTP1\u0027"
],
"packageName": "elixir-mint/mint",
"packageURL": "pkg:github/elixir-mint/mint",
"product": "mint",
"programFiles": [
"lib/mint/http1.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Mint.HTTP1\u0027:decode_body/5"
},
{
"name": "\u0027Elixir.Mint.HTTP1\u0027:add_body_to_buffer/2"
}
],
"repo": "https://github.com/elixir-mint/mint",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "193ce714907d16e8adc4ab3c40e4f0c2f045b2a6",
"status": "affected",
"version": "c575d819d39ebf7e9b77ec24584a5ffbb11c844e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.9.1",
"versionStartIncluding": "0.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andrea Leopardi"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "analyst",
"value": "Eric Meadows-J\u00f6nsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (\u003ctt\u003eMint.HTTP1\u003c/tt\u003e module) allows a denial of service via an oversized \u003ctt\u003echunked\u003c/tt\u003e transfer-encoded response.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/mint/http1.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Mint.HTTP1\u0027:decode_body/5\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.Mint.HTTP1\u0027:add_body_to_buffer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eWhen Mint decodes a \u003ctt\u003echunked\u003c/tt\u003e HTTP response body, it accumulates each partial fragment of the current chunk in the connection\u0027s \u003ctt\u003edata_buffer\u003c/tt\u003e (an unbounded iolist) via \u003ctt\u003eadd_body_to_buffer/2\u003c/tt\u003e and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of \u003ctt\u003e7FFFFFFF\u003c/tt\u003e, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large \u003ctt\u003econtent-length\u003c/tt\u003e bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client\u0027s memory arbitrarily high and trigger an out-of-memory condition.\u003c/p\u003e\u003cp\u003eThis issue affects mint: from 0.5.0 before 1.9.1.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response.\n\nThis vulnerability is associated with program files lib/mint/http1.ex and program routines \u0027Elixir.Mint.HTTP1\u0027:decode_body/5, \u0027Elixir.Mint.HTTP1\u0027:add_body_to_buffer/2.\n\nWhen Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection\u0027s data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client\u0027s memory arbitrarily high and trigger an out-of-memory condition.\n\nThis issue affects mint: from 0.5.0 before 1.9.1."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T04:32:36.390Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-mint/mint/security/advisories/GHSA-c59h-fq4p-r36r"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-56810.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-56810"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-mint/mint/commit/193ce714907d16e8adc4ab3c40e4f0c2f045b2a6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-56810",
"datePublished": "2026-07-06T09:17:17.429Z",
"dateReserved": "2026-06-23T12:29:02.507Z",
"dateUpdated": "2026-07-07T04:32:36.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58226 (GCVE-0-2026-58226)
Vulnerability from cvelistv5 – Published: 2026-07-06 09:03 – Updated: 2026-07-06 14:04
VLAI
EPSS
VEX
Title
Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax
Summary
Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding.
hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. 'Elixir.HPAX.Types':decode_remaining_integer/3 accumulates the integer as int + (value <<< m), shifting by 7 more bits for each continuation octet and stopping only on a terminating octet or truncated input, never because the integer grew too large. Because BEAM integers are arbitrary precision, a run of N continuation octets builds an O(N)-bit bignum and re-adds into an ever-larger bignum on each step, so the total decoding cost is superlinear (about O(N^2)). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder (reached through the 'Elixir.HPAX':decode/2 entry point) can supply a small header block that forces a large, attacker-controlled amount of CPU (and transient memory), a denial-of-service amplification.
This issue affects hpax from 0.1.1 before 1.0.4.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-mint/hpax/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-58226.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-58226 | related |
| https://github.com/elixir-mint/hpax/commit/1ba4bb… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-mint | hpax |
Affected:
0.1.1 , < 1.0.4
(semver)
cpe:2.3:a:elixir-mint:hpax:*:*:*:*:*:*:*:* |
|
| elixir-mint | hpax |
Affected:
56db437a7e2c515e3bdd770ac7947b02cd2390d0 , < 1ba4bb2dc91e80089cf89c73970ac3ded76f17eb
(git)
cpe:2.3:a:elixir-mint:hpax:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58226",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T12:49:38.954923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T12:49:52.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-mint/hpax/security/advisories/GHSA-jj2p-32j7-whj2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-mint:hpax:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.HPAX",
"Elixir.HPAX.Types"
],
"packageName": "hpax",
"packageURL": "pkg:hex/hpax",
"product": "hpax",
"programFiles": [
"lib/hpax.ex",
"lib/hpax/types.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.HPAX\u0027:decode/2"
},
{
"name": "\u0027Elixir.HPAX.Types\u0027:decode_integer/2"
},
{
"name": "\u0027Elixir.HPAX.Types\u0027:decode_remaining_integer/3"
}
],
"repo": "https://github.com/elixir-mint/hpax",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "0.1.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-mint:hpax:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.HPAX",
"Elixir.HPAX.Types"
],
"packageName": "elixir-mint/hpax",
"packageURL": "pkg:github/elixir-mint/hpax",
"product": "hpax",
"programFiles": [
"lib/hpax.ex",
"lib/hpax/types.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.HPAX\u0027:decode/2"
},
{
"name": "\u0027Elixir.HPAX.Types\u0027:decode_integer/2"
},
{
"name": "\u0027Elixir.HPAX.Types\u0027:decode_remaining_integer/3"
}
],
"repo": "https://github.com/elixir-mint/hpax",
"vendor": "elixir-mint",
"versions": [
{
"lessThan": "1ba4bb2dc91e80089cf89c73970ac3ded76f17eb",
"status": "affected",
"version": "56db437a7e2c515e3bdd770ac7947b02cd2390d0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-mint:hpax:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.4",
"versionStartIncluding": "0.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andrea Leopardi"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "analyst",
"value": "Eric Meadows-J\u00f6nsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding.\u003c/p\u003e\u003cp\u003e\u003ctt\u003ehpax\u003c/tt\u003e decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. \u003ctt\u003e\u0027Elixir.HPAX.Types\u0027:decode_remaining_integer/3\u003c/tt\u003e accumulates the integer as \u003ctt\u003eint + (value \u0026lt;\u0026lt;\u0026lt; m)\u003c/tt\u003e, shifting by 7 more bits for each continuation octet and stopping only on a terminating octet or truncated input, never because the integer grew too large. Because BEAM integers are arbitrary precision, a run of N continuation octets builds an O(N)-bit bignum and re-adds into an ever-larger bignum on each step, so the total decoding cost is superlinear (about O(N^2)). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder (reached through the \u003ctt\u003e\u0027Elixir.HPAX\u0027:decode/2\u003c/tt\u003e entry point) can supply a small header block that forces a large, attacker-controlled amount of CPU (and transient memory), a denial-of-service amplification.\u003c/p\u003e\u003cp\u003eThis issue affects \u003ctt\u003ehpax\u003c/tt\u003e from 0.1.1 before 1.0.4.\u003c/p\u003e"
}
],
"value": "Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via unbounded HPACK integer decoding.\n\nhpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. \u0027Elixir.HPAX.Types\u0027:decode_remaining_integer/3 accumulates the integer as int + (value \u003c\u003c\u003c m), shifting by 7 more bits for each continuation octet and stopping only on a terminating octet or truncated input, never because the integer grew too large. Because BEAM integers are arbitrary precision, a run of N continuation octets builds an O(N)-bit bignum and re-adds into an ever-larger bignum on each step, so the total decoding cost is superlinear (about O(N^2)). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder (reached through the \u0027Elixir.HPAX\u0027:decode/2 entry point) can supply a small header block that forces a large, attacker-controlled amount of CPU (and transient memory), a denial-of-service amplification.\n\nThis issue affects hpax from 0.1.1 before 1.0.4."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T14:04:14.632Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-mint/hpax/security/advisories/GHSA-jj2p-32j7-whj2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-58226.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-58226"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-mint/hpax/commit/1ba4bb2dc91e80089cf89c73970ac3ded76f17eb"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-58226",
"datePublished": "2026-07-06T09:03:47.374Z",
"dateReserved": "2026-06-29T18:54:08.633Z",
"dateUpdated": "2026-07-06T14:04:14.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54891 (GCVE-0-2026-54891)
Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI
EPSS
VEX
Title
Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl
Summary
Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data.
The function tls_gen_connection:handle_protocol_record/3 rejects APPLICATION_DATA records that arrive in pre-handshake states when the TLS endpoint acts as a server, but does not apply the same check when the endpoint acts as a client. A network-positioned attacker can send plaintext APPLICATION_DATA records to the client during the handshake. The records are buffered and, once the handshake completes successfully, delivered to the application as if they were authenticated post-handshake data. The attacker cannot observe the client's response or steer the connection, so the impact is limited to blind injection of unauthenticated bytes. The injection window is wider for TLS versions prior to TLS 1.3 than for TLS 1.3.
This vulnerability is associated with program file lib/ssl/src/tls_gen_connection.erl.
This issue affects OTP from OTP 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected starting with OTP 22.0, when TLS 1.3 support was added.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54891.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54891 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/07d2d0e93f6a… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T17:24:44.468465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T17:24:50.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"tls_gen_connection"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tls_gen_connection.erl"
],
"programRoutines": [
{
"name": "tls_gen_connection:handle_protocol_record/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.7.3",
"status": "unaffected"
},
{
"at": "11.6.0.3",
"status": "unaffected"
},
{
"at": "11.2.12.10",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.3.4",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"tls_gen_connection"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssl/src/tls_gen_connection.erl"
],
"programRoutines": [
{
"name": "tls_gen_connection:handle_protocol_record/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.3",
"status": "unaffected"
},
{
"at": "28.5.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "07d2d0e93f6aaf7652a81e8df075fc1728da5e96",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.14",
"versionStartIncluding": "17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.3",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Dan Gudmundsson"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data.\u003c/p\u003e\u003cp\u003eThe function \u003ctt\u003etls_gen_connection:handle_protocol_record/3\u003c/tt\u003e rejects \u003ctt\u003eAPPLICATION_DATA\u003c/tt\u003e records that arrive in pre-handshake states when the TLS endpoint acts as a server, but does not apply the same check when the endpoint acts as a client. A network-positioned attacker can send plaintext \u003ctt\u003eAPPLICATION_DATA\u003c/tt\u003e records to the client during the handshake. The records are buffered and, once the handshake completes successfully, delivered to the application as if they were authenticated post-handshake data. The attacker cannot observe the client\u0027s response or steer the connection, so the impact is limited to blind injection of unauthenticated bytes. The injection window is wider for TLS versions prior to TLS 1.3 than for TLS 1.3.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/tls_gen_connection.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected starting with OTP 22.0, when TLS 1.3 support was added.\u003c/p\u003e"
}
],
"value": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data.\n\nThe function tls_gen_connection:handle_protocol_record/3 rejects APPLICATION_DATA records that arrive in pre-handshake states when the TLS endpoint acts as a server, but does not apply the same check when the endpoint acts as a client. A network-positioned attacker can send plaintext APPLICATION_DATA records to the client during the handshake. The records are buffered and, once the handshake completes successfully, delivered to the application as if they were authenticated post-handshake data. The attacker cannot observe the client\u0027s response or steer the connection, so the impact is limited to blind injection of unauthenticated bytes. The injection window is wider for TLS versions prior to TLS 1.3 than for TLS 1.3.\n\nThis vulnerability is associated with program file lib/ssl/src/tls_gen_connection.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected starting with OTP 22.0, when TLS 1.3 support was added."
}
],
"impacts": [
{
"capecId": "CAPEC-94",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-94 Adversary in the Middle (AiTM)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-924",
"description": "CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T04:29:42.794Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-gf6r-99xw-6qg6"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54891.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54891"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/07d2d0e93f6aaf7652a81e8df075fc1728da5e96"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Plaintext APPLICATION_DATA injected during TLS handshake delivered to client application post-handshake in ssl",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54891",
"datePublished": "2026-07-02T16:06:30.982Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-07-03T04:29:42.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55950 (GCVE-0-2026-55950)
Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI
EPSS
VEX
Title
DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions
Summary
Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.
A DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux's internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker's.
The attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.
This vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.
This issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-55950.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-55950 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/e44d2bf01c44… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T17:25:47.169172Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T17:25:53.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"dtls_packet_demux"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/dtls_packet_demux.erl"
],
"programRoutines": [
{
"name": "dtls_packet_demux:handle_call/3"
},
{
"name": "dtls_packet_demux:handle_info/2"
},
{
"name": "dtls_packet_demux:new_connection/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.7.3",
"status": "unaffected"
},
{
"at": "11.6.0.3",
"status": "unaffected"
},
{
"at": "11.2.12.10",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "10.9",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"dtls_packet_demux"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssl/src/dtls_packet_demux.erl"
],
"programRoutines": [
{
"name": "dtls_packet_demux:handle_call/3"
},
{
"name": "dtls_packet_demux:handle_info/2"
},
{
"name": "dtls_packet_demux:new_connection/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.3",
"status": "unaffected"
},
{
"at": "28.5.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "25.3",
"versionType": "otp"
},
{
"lessThan": "e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04",
"status": "affected",
"version": "44dcb4c3d900777493ce2a6129f451aa475811f9",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must accept incoming DTLS connections via \u003ctt\u003essl:listen/2\u003c/tt\u003e with a UDP-based transport. TLS-only deployments are not affected.\u003c/p\u003e"
}
],
"value": "The application must accept incoming DTLS connections via ssl:listen/2 with a UDP-based transport. TLS-only deployments are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.14",
"versionStartIncluding": "25.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.3",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Dan Gudmundsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTime-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (\u003ctt\u003edtls_packet_demux\u003c/tt\u003e module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\u003c/p\u003e\u003cp\u003eA DTLS server listener uses a single shared \u003ctt\u003edtls_packet_demux\u003c/tt\u003e \u003ctt\u003egen_server\u003c/tt\u003e process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple \u003ctt\u003eClientHello\u003c/tt\u003e messages in quick succession), a race condition in the demux\u0027s internal \u003ctt\u003egb_trees\u003c/tt\u003e key-value store causes a \u003ctt\u003e{key_exists, {old, Client}}\u003c/tt\u003e crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\u003c/p\u003e\u003cp\u003eThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid \u003ctt\u003eClientHello\u003c/tt\u003e messages from the same source IP and port before the intermediate \u003ctt\u003eDOWN\u003c/tt\u003e monitor message is processed by the \u003ctt\u003egen_server\u003c/tt\u003e. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/dtls_packet_demux.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.\u003c/p\u003e"
}
],
"value": "Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\n\nA DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux\u0027s internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker\u0027s.\n\nThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\n\nThis vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.\n\nThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10."
}
],
"impacts": [
{
"capecId": "CAPEC-29",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T04:29:33.147Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-hwfc-5hf4-gvr3"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-55950.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-55950"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "DTLS listener crash via race condition in dtls_packet_demux causes denial of service for all sessions",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-55950",
"datePublished": "2026-07-02T16:06:24.783Z",
"dateReserved": "2026-06-17T17:55:15.685Z",
"dateUpdated": "2026-07-03T04:29:33.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54886 (GCVE-0-2026-54886)
Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI
EPSS
VEX
Title
SSH SFTP server denial of service via extended channel data infinite loop
Summary
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.
The handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.
The SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.
The targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.
Erlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.
No file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.
This vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.
This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54886.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54886 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/eaf9550b8ad4… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54886",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T17:27:25.414155Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T17:27:30.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_data/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "6.0.2",
"status": "unaffected"
},
{
"at": "5.5.2.2",
"status": "unaffected"
},
{
"at": "5.2.11.9",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_data/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.3",
"status": "unaffected"
},
{
"at": "28.5.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "eaf9550b8ad4738b81149d3f617102d980c6dd18",
"status": "affected",
"version": "84adefa3318eef8631bf25cd233246a86eea18cd",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.3",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\u003cp\u003eThe \u003ctt\u003ehandle_data/4\u003c/tt\u003e function in \u003ctt\u003essh_sftpd\u003c/tt\u003e contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (\u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\u003c/p\u003e\u003cp\u003eThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending \u003ctt\u003eSSH_MSG_CHANNEL_EXTENDED_DATA\u003c/tt\u003e with any \u003ctt\u003edata_type_code\u003c/tt\u003e and any non-empty payload at or below the size limit.\u003c/p\u003e\u003cp\u003eThe targeted \u003ctt\u003essh_sftpd\u003c/tt\u003e process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\u003c/p\u003e\u003cp\u003eErlang/OTP SSH configurations using the default \u003ctt\u003emax_channels\u003c/tt\u003e setting (\u003ctt\u003einfinity\u003c/tt\u003e) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\u003c/p\u003e\u003cp\u003eNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_data/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
}
],
"value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\n\nThe handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\n\nThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.\n\nThe targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM\u0027s reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\n\nErlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\n\nNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\n\nThis vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T04:29:26.056Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-7wp4-pc27-2vj9"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54886.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54886"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SSH SFTP server denial of service via extended channel data infinite loop",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eSet the \u003ctt\u003emax_channels\u003c/tt\u003e daemon option to a finite value (e.g., \u003ctt\u003e{max_channels, 10}\u003c/tt\u003e) to limit the number of channels an attacker can open per connection.\u003c/li\u003e\u003cli\u003eSet the \u003ctt\u003emax_sessions\u003c/tt\u003e daemon option to limit total concurrent SSH connections to the daemon.\u003c/li\u003e\u003cli\u003eUse external process monitoring to detect and kill \u003ctt\u003essh_sftpd\u003c/tt\u003e processes with abnormally high reduction counts and growing message queues.\u003c/li\u003e\u003cli\u003eEnsure that the SFTP server port is not reachable from untrusted machines.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Set the max_channels daemon option to a finite value (e.g., {max_channels, 10}) to limit the number of channels an attacker can open per connection.\n* Set the max_sessions daemon option to limit total concurrent SSH connections to the daemon.\n* Use external process monitoring to detect and kill ssh_sftpd processes with abnormally high reduction counts and growing message queues.\n* Ensure that the SFTP server port is not reachable from untrusted machines."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54886",
"datePublished": "2026-07-02T16:06:20.502Z",
"dateReserved": "2026-06-16T10:47:13.914Z",
"dateUpdated": "2026-07-03T04:29:26.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55952 (GCVE-0-2026-55952)
Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI
EPSS
VEX
Title
TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
Summary
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process.
An unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected.
This issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-55952.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-55952 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/e77823e6d980… | patch |
| https://github.com/erlang/otp/commit/2c3e59979764… | patch |
| https://github.com/erlang/otp/commit/9b5437c72fa3… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T17:28:09.569991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T17:28:15.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"tls_handshake_1_3"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/tls_handshake_1_3.erl"
],
"programRoutines": [
{
"name": "tls_handshake_1_3:handle_pre_shared_key/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.7.3",
"status": "unaffected"
},
{
"at": "11.6.0.3",
"status": "unaffected"
},
{
"at": "11.2.12.10",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "9.5",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"tls_handshake_1_3"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssl/src/tls_handshake_1_3.erl"
],
"programRoutines": [
{
"name": "tls_handshake_1_3:handle_pre_shared_key/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.3",
"status": "unaffected"
},
{
"at": "28.5.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "22.2",
"versionType": "otp"
},
{
"changes": [
{
"at": "e77823e6d980b2ec0b4fe4ea3f2d098ca239e3ce",
"status": "unaffected"
},
{
"at": "2c3e599797644310e5d4aa39c7193420e59dadff",
"status": "unaffected"
},
{
"at": "9b5437c72fa3403a75c1aba28e5c532bc191c662",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "339a279f02ce38a7b23010e56000613e19abb21f",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerability only affects TLS 1.3 servers that have session tickets enabled (either stateful or stateless mode). TLS 1.2 connections and clients are not affected.\u003c/p\u003e"
}
],
"value": "The vulnerability only affects TLS 1.3 servers that have session tickets enabled (either stateful or stateless mode). TLS 1.2 connections and clients are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.14",
"versionStartIncluding": "22.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.3",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Dan Gudmundsson"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Erlang/OTP \u003ctt\u003essl\u003c/tt\u003e application does not validate that the PSK identity list and binder list carried in a TLS 1.3 \u003ctt\u003eClientHello\u003c/tt\u003e pre-shared key extension have equal length before passing them to the session ticket handler. In \u003ctt\u003etls_handshake_1_3:handle_pre_shared_key/3\u003c/tt\u003e, an \u003ctt\u003eOfferedPreSharedKeys\u003c/tt\u003e record with a mismatched number of identities and binders is forwarded directly to \u003ctt\u003etls_server_session_ticket:use/4\u003c/tt\u003e, which crashes the session ticket handler process.\u003c/p\u003e\u003cp\u003eAn unauthenticated remote attacker can send a single crafted \u003ctt\u003eClientHello\u003c/tt\u003e to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the \u003ctt\u003essl\u003c/tt\u003e application is restarted. TLS 1.2 connections are not affected.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.\u003c/p\u003e"
}
],
"value": "The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process.\n\nAn unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected.\n\nThis issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T04:29:07.026Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-8c57-44c9-pc59"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-55952.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-55952"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/e77823e6d980b2ec0b4fe4ea3f2d098ca239e3ce"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/2c3e599797644310e5d4aa39c7193420e59dadff"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/9b5437c72fa3403a75c1aba28e5c532bc191c662"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eDisable session tickets on TLS 1.3 servers by setting \u003ctt\u003esession_tickets\u003c/tt\u003e to \u003ctt\u003edisabled\u003c/tt\u003e in the server\u0027s \u003ctt\u003essl\u003c/tt\u003e options.\u003c/li\u003e\u003cli\u003eRestrict the server to TLS 1.2 by setting \u003ctt\u003eversions\u003c/tt\u003e to \u003ctt\u003e[\u0027tlsv1.2\u0027]\u003c/tt\u003e in the server\u0027s \u003ctt\u003essl\u003c/tt\u003e options.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Disable session tickets on TLS 1.3 servers by setting session_tickets to disabled in the server\u0027s ssl options.\n* Restrict the server to TLS 1.2 by setting versions to [\u0027tlsv1.2\u0027] in the server\u0027s ssl options."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-55952",
"datePublished": "2026-07-02T16:06:08.474Z",
"dateReserved": "2026-06-17T17:55:15.686Z",
"dateUpdated": "2026-07-03T04:29:07.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54887 (GCVE-0-2026-54887)
Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:29
VLAI
EPSS
VEX
Title
DTLS server cookie bypass during startup window due to empty initial cookie secret
Summary
Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass.
On DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses.
This vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3.
This issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1394 - Use of Default Cryptographic Key
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54887.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54887 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/888e3bcd72d5… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T17:28:36.936306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T17:28:43.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"dtls_server_connection"
],
"packageName": "ssl",
"packageURL": "pkg:otp/ssl?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/dtls_server_connection.erl"
],
"programRoutines": [
{
"name": "dtls_server_connection:initial_hello/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "11.7.3",
"status": "unaffected"
},
{
"at": "11.6.0.3",
"status": "unaffected"
},
{
"at": "11.2.12.10",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "8.2",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"dtls_server_connection"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssl/src/dtls_server_connection.erl"
],
"programRoutines": [
{
"name": "dtls_server_connection:initial_hello/3"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.3",
"status": "unaffected"
},
{
"at": "28.5.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "20.0",
"versionType": "otp"
},
{
"lessThan": "888e3bcd72d5406016b9e0de741026bc2a6f114d",
"status": "affected",
"version": "e594aad2f87aab39e99fccf9e021bc94e0bbf7d4",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.14",
"versionStartIncluding": "20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.3",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lukas Backstr\u00f6m"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Dan Gudmundsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUse of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass.\u003c/p\u003e\u003cp\u003eOn DTLS server startup, \u003ctt\u003edtls_server_connection:initial_hello/3\u003c/tt\u003e initializes \u003ctt\u003eprevious_cookie_secret\u003c/tt\u003e to the empty binary (\u003ctt\u003e\u0026lt;\u0026lt;\u0026gt;\u0026gt;\u003c/tt\u003e) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext \u003ctt\u003eClientHello\u003c/tt\u003e can compute \u003ctt\u003edtls_handshake:cookie(\u0026lt;\u0026lt;\u0026gt;\u0026gt;, IP, Port, Hello)\u003c/tt\u003e and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 \u00a74.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext \u003ctt\u003eClientHello\u003c/tt\u003e can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program file \u003ctt\u003elib/ssl/src/dtls_server_connection.erl\u003c/tt\u003e and program routine \u003ctt\u003edtls_server_connection:initial_hello/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.\u003c/p\u003e"
}
],
"value": "Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass.\n\nOn DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (\u003c\u003c\u003e\u003e) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(\u003c\u003c\u003e\u003e, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 \u00a74.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses.\n\nThis vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3.\n\nThis issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10."
}
],
"impacts": [
{
"capecId": "CAPEC-485",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-485 Signature Spoofing by Key Recreation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1394",
"description": "CWE-1394 Use of Default Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T04:29:00.191Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-p2m2-3c2w-8jp8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54887.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54887"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/888e3bcd72d5406016b9e0de741026bc2a6f114d"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "DTLS server cookie bypass during startup window due to empty initial cookie secret",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54887",
"datePublished": "2026-07-02T16:06:04.156Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-07-03T04:29:00.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53422 (GCVE-0-2026-53422)
Vulnerability from cvelistv5 – Published: 2026-07-02 16:06 – Updated: 2026-07-03 04:28
VLAI
EPSS
VEX
Title
SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root
Summary
Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.
The SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.
An authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.
The vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.
This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.
This issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53422.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53422 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/059e5785ef8c… | patch |
| https://github.com/erlang/otp/commit/86622cfaacf5… | patch |
| https://github.com/erlang/otp/commit/c5a8f50ae688… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T17:29:13.490797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T17:29:32.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"ssh_sftpd"
],
"packageName": "ssh",
"packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "6.0.2",
"status": "unaffected"
},
{
"at": "5.5.2.2",
"status": "unaffected"
},
{
"at": "5.2.11.9",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "3.0.1",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"ssh_sftpd"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/ssh/src/ssh_sftpd.erl"
],
"programRoutines": [
{
"name": "ssh_sftpd:handle_op/4"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.3",
"status": "unaffected"
},
{
"at": "28.5.0.3",
"status": "unaffected"
},
{
"at": "27.3.4.14",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"changes": [
{
"at": "059e5785ef8c1d423820ca633fb7b37f47645172",
"status": "unaffected"
},
{
"at": "86622cfaacf57a02c7645d1999f946846b504c94",
"status": "unaffected"
},
{
"at": "c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe SFTP subsystem must be configured with the \u003ctt\u003eroot\u003c/tt\u003e option in \u003ctt\u003essh_sftpd:subsystem_spec/1\u003c/tt\u003e, and the operator must rely on it to provide filesystem path isolation. The \u003ctt\u003eroot\u003c/tt\u003e option is not set by default.\u003c/p\u003e"
}
],
"value": "The SFTP subsystem must be configured with the root option in ssh_sftpd:subsystem_spec/1, and the operator must rely on it to provide filesystem path isolation. The root option is not set by default."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.3",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.3",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohamed Ali IBNAL HAJALI / Ericsson"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Micha\u0142 W\u0105sowski"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Jakub Witczak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eObservable Response Discrepancy vulnerability in Erlang OTP \u003ctt\u003essh\u003c/tt\u003e (\u003ctt\u003essh_sftpd\u003c/tt\u003e module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003eSSH_FXP_REALPATH\u003c/tt\u003e handler in \u003ctt\u003essh_sftpd\u003c/tt\u003e calls \u003ctt\u003erelate_file_name/3\u003c/tt\u003e with \u003ctt\u003eCanonicalize=false\u003c/tt\u003e, unlike every other SFTP operation handler. This allows \u003ctt\u003e..\u003c/tt\u003e components in the requested path to bypass the \u003ctt\u003eis_within_root/2\u003c/tt\u003e check without being resolved. The un-canonicalized path then enters \u003ctt\u003eresolve_symlinks/2\u003c/tt\u003e, which walks up the directory tree above the configured root and issues \u003ctt\u003eread_link()\u003c/tt\u003e syscalls on arbitrary filesystem paths.\u003c/p\u003e\u003cp\u003eAn authenticated SFTP client can exploit this by sending a \u003ctt\u003eREALPATH\u003c/tt\u003e request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (\u003ctt\u003eSSH_FXP_NAME\u003c/tt\u003e when the path resolves successfully, \u003ctt\u003eSSH_FX_NO_SUCH_FILE\u003c/tt\u003e when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\u003c/p\u003e\u003cp\u003eThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_sftpd.erl\u003c/tt\u003e and program routine \u003ctt\u003essh_sftpd:handle_op/4\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to \u003ctt\u003essh\u003c/tt\u003e from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.\u003c/p\u003e"
}
],
"value": "Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\n\nThe SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.\n\nAn authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\n\nThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204 Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T04:28:59.578Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-h9pw-h5w4-h976"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53422.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53422"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/059e5785ef8c1d423820ca633fb7b37f47645172"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/86622cfaacf57a02c7645d1999f946846b504c94"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SFTP REALPATH path-existence oracle allowing filesystem enumeration outside configured root",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eUse OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level \u003ctt\u003eroot\u003c/tt\u003e option.\u003c/li\u003e\u003cli\u003eEnsure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\u003c/li\u003e\u003cli\u003eEnsure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment, eliminating reliance on the application-level root option.\n* Ensure the SFTP server port on the machine running the Erlang/OTP SFTP server is not reachable from untrusted machines.\n* Ensure that no sensitive information (usernames, project names, mount topology) is inferrable from the existence or non-existence of paths on the host filesystem."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53422",
"datePublished": "2026-07-02T16:06:03.802Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-07-03T04:28:59.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53426 (GCVE-0-2026-53426)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:11 – Updated: 2026-06-30 04:38
VLAI
EPSS
VEX
Title
Atom-table exhaustion denial-of-service via JSON parse_document in MDEx
Summary
Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.
MDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.
A single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.
This issue affects mdex from 0.4.3 before 0.13.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53426.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53426 | related |
| https://github.com/leandrocp/mdex/commit/00fddf44… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:49:38.921685Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:49:48.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.13.2",
"status": "affected",
"version": "0.4.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:json_to_node/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "00fddf444220a1f1cc0af0a1cab6738804878387",
"status": "affected",
"version": "cbb59a3f792dbc343873adec3466f49c853dc309",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.13.2",
"versionStartIncluding": "0.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e accepts a \u003ctt\u003e{:json, json}\u003c/tt\u003e source. In \u003ctt\u003elib/mdex.ex\u003c/tt\u003e, the private \u003ctt\u003ejson_to_node/1\u003c/tt\u003e function passes the attacker-controlled \u003ctt\u003enode_type\u003c/tt\u003e value to \u003ctt\u003eModule.concat/1\u003c/tt\u003e, which calls \u003ctt\u003eString.to_atom/1\u003c/tt\u003e and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique \u003ctt\u003enode_type\u003c/tt\u003e at each (deeply nested) node mints one permanent atom per node.\u003c/p\u003e\u003cp\u003eA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document\u003c/tt\u003e is exposed to an unauthenticated denial-of-service.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.4.3 before 0.13.2.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in leandrocp MDEx allows Excessive Allocation.\n\nMDEx.parse_document/2 accepts a {:json, json} source. In lib/mdex.ex, the private json_to_node/1 function passes the attacker-controlled node_type value to Module.concat/1, which calls String.to_atom/1 and interns a brand-new atom for every distinct value. Atoms are never garbage collected on the BEAM, so a crafted JSON document carrying a unique node_type at each (deeply nested) node mints one permanent atom per node.\n\nA single document can intern hundreds of thousands of atoms, and a large enough document exhausts the default atom table (around 1,048,576 atoms) and aborts the entire Erlang VM, taking down every process on the node. Any application that passes untrusted input to the {:json, ...} source of MDEx.parse_document is exposed to an unauthenticated denial-of-service.\n\nThis issue affects mdex from 0.4.3 before 0.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:27.190Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-923r-7vf4-5vw8"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53426.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53426"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex/commit/00fddf444220a1f1cc0af0a1cab6738804878387"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Atom-table exhaustion denial-of-service via JSON parse_document in MDEx",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not pass untrusted or attacker-controlled input to the \u003ctt\u003e{:json, ...}\u003c/tt\u003e source of \u003ctt\u003eMDEx.parse_document/2\u003c/tt\u003e. The \u003ctt\u003e{:markdown, ...}\u003c/tt\u003e source is not affected.\u003c/p\u003e"
}
],
"value": "Do not pass untrusted or attacker-controlled input to the {:json, ...} source of MDEx.parse_document/2. The {:markdown, ...} source is not affected."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53426",
"datePublished": "2026-06-29T19:11:32.605Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:27.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54889 (GCVE-0-2026-54889)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:38
VLAI
EPSS
VEX
Title
Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)
Summary
Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.
'Elixir.MDEx':to_delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta "link" or "image" attribute without applying a scheme allowlist or any normalization.
An attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an <a href> or <img src>, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in <img src> generally does not execute in modern browsers.
This issue affects mdex: from 0.8.3 before 0.13.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex/security/adviso… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54889.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54889 | related |
| https://github.com/leandrocp/mdex/commit/2817147f… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54889",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:48:34.044130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:48:52.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.DeltaConverter\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex",
"lib/mdex/delta_converter.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:to_delta/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.13.2",
"status": "affected",
"version": "0.8.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.DeltaConverter\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"lib/mdex.ex",
"lib/mdex/delta_converter.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.MDEx\u0027:to_delta/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:convert/2"
},
{
"name": "\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "2817147f5b87ce7186aa604c9ee72499485b8f2f",
"status": "affected",
"version": "9852db2456fdc9d856eb636603a7f608e22e3793",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe application must pass untrusted Markdown to \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e and then render the resulting Quill Delta to HTML with a renderer that maps the \u003ctt\u003e\"link\"\u003c/tt\u003e and \u003ctt\u003e\"image\"\u003c/tt\u003e attributes to \u003ctt\u003ehref\u003c/tt\u003e and \u003ctt\u003esrc\u003c/tt\u003e without applying its own URL scheme sanitization (for example \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client).\u003c/p\u003e"
}
],
"value": "The application must pass untrusted Markdown to \u0027Elixir.MDEx\u0027:to_delta/2 and then render the resulting Quill Delta to HTML with a renderer that maps the \"link\" and \"image\" attributes to href and src without applying its own URL scheme sanitization (for example quill-delta-to-html or the Quill client)."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.13.2",
"versionStartIncluding": "0.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\u003cp\u003e\u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e converts Markdown into a Quill Delta. \u003ctt\u003e\u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3\u003c/tt\u003e in \u003ctt\u003elib/mdex/delta_converter.ex\u003c/tt\u003e copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e attribute without applying a scheme allowlist or any normalization.\u003c/p\u003e\u003cp\u003eAn attacker who controls the Markdown text can supply a \u003ctt\u003ejavascript:\u003c/tt\u003e URL (for example \u003ctt\u003e[click](javascript:alert(document.cookie))\u003c/tt\u003e) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as \u003ctt\u003equill-delta-to-html\u003c/tt\u003e or the Quill client), the attribute becomes an \u003ctt\u003e\u0026lt;a href\u0026gt;\u003c/tt\u003e or \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e, and the \u003ctt\u003ejavascript:\u003c/tt\u003e scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because \u003ctt\u003ejavascript:\u003c/tt\u003e in an \u003ctt\u003ehref\u003c/tt\u003e executes on click; the image case is lower impact because \u003ctt\u003ejavascript:\u003c/tt\u003e in \u003ctt\u003e\u0026lt;img src\u0026gt;\u003c/tt\u003e generally does not execute in modern browsers.\u003c/p\u003e\u003cp\u003eThis issue affects mdex: from 0.8.3 before 0.13.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output.\n\n\u0027Elixir.MDEx\u0027:to_delta/2 converts Markdown into a Quill Delta. \u0027Elixir.MDEx.DeltaConverter\u0027:default_convert_node/3 in lib/mdex/delta_converter.ex copies the URL of a link, wikilink, or image node directly from the parsed Markdown into the Delta \"link\" or \"image\" attribute without applying a scheme allowlist or any normalization.\n\nAn attacker who controls the Markdown text can supply a javascript: URL (for example [click](javascript:alert(document.cookie))) that survives verbatim into the Delta attribute. When the Delta is rendered to HTML by a downstream renderer (such as quill-delta-to-html or the Quill client), the attribute becomes an \u003ca href\u003e or \u003cimg src\u003e, and the javascript: scheme executes in the browser of anyone who views the rendered content. The link and wikilink cases are the strongest vectors because javascript: in an href executes on click; the image case is lower impact because javascript: in \u003cimg src\u003e generally does not execute in modern browsers.\n\nThis issue affects mdex: from 0.8.3 before 0.13.2."
}
],
"impacts": [
{
"capecId": "CAPEC-244",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-244 XSS Targeting URI Placeholders"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:42.158Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex/security/advisories/GHSA-4383-7xfp-gpph"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54889.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54889"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex/commit/2817147f5b87ce7186aa604c9ee72499485b8f2f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSanitize the Quill Delta produced by \u003ctt\u003e\u0027Elixir.MDEx\u0027:to_delta/2\u003c/tt\u003e before rendering it: drop or blank any \u003ctt\u003e\"link\"\u003c/tt\u003e or \u003ctt\u003e\"image\"\u003c/tt\u003e value whose URL scheme is not in a safe allowlist (\u003ctt\u003ehttp\u003c/tt\u003e, \u003ctt\u003ehttps\u003c/tt\u003e, \u003ctt\u003emailto\u003c/tt\u003e, \u003ctt\u003etel\u003c/tt\u003e).\u003c/p\u003e"
}
],
"value": "Sanitize the Quill Delta produced by \u0027Elixir.MDEx\u0027:to_delta/2 before rendering it: drop or blank any \"link\" or \"image\" value whose URL scheme is not in a safe allowlist (http, https, mailto, tel)."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54889",
"datePublished": "2026-06-29T19:10:49.841Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:38:42.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54888 (GCVE-0-2026-54888)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:10 – Updated: 2026-06-30 04:37
VLAI
EPSS
VEX
Title
Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex
Summary
Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.
mdex converts between an Elixir %MDEx.Document{} struct and Comrak's internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.
Because the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.
The vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-54888.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-54888 | related |
| https://github.com/leandrocp/mdex_native/commit/9… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.3.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
d0bc7d55177727c61d188ef465178ab3b81f4f2c , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 947696c47bc22bea5dffc0f78c946fa6b70ce183
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:47:22.348133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:47:50.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"comrak_nif",
"\u0027Elixir.MDEx\u0027",
"\u0027Elixir.MDEx.Native\u0027"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs",
"lib/mdex.ex",
"lib/mdex/native.ex"
],
"programRoutines": [
{
"name": "comrak_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "comrak_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDEx\u0027:parse_document!/1"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "d0bc7d55177727c61d188ef465178ab3b81f4f2c",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"mdex_native_nif",
"\u0027Elixir.MDExNative.Native\u0027"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs",
"lib/mdex_native/native.ex"
],
"programRoutines": [
{
"name": "mdex_native_nif::types::document::ex_document_to_comrak_ast"
},
{
"name": "mdex_native_nif::types::document::comrak_ast_to_ex_document"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:parse_document/2"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "947696c47bc22bea5dffc0f78c946fa6b70ce183",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\u003c/p\u003e\u003cp\u003emdex converts between an Elixir \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, \u003ctt\u003eex_document_to_comrak_ast\u003c/tt\u003e and \u003ctt\u003ecomrak_ast_to_ex_document\u003c/tt\u003e, in the NIF source file \u003ctt\u003edocument.rs\u003c/tt\u003e. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through \u003ctt\u003eMDEx.parse_document!/1\u003c/tt\u003e or \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\u003c/p\u003e\u003cp\u003eBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in leandrocp mdex allows denial of service via deeply nested Markdown input.\n\nmdex converts between an Elixir %MDEx.Document{} struct and Comrak\u0027s internal AST using two mutually recursive Rust functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document, in the NIF source file document.rs. Neither function enforces a maximum nesting depth, so the recursion depth is bounded only by the structure of the input. An attacker who can get a Markdown document rendered (for example through MDEx.parse_document!/1 or MDEx.to_html/1) can supply a document with thousands of nested block quotes, which drives unbounded recursion across the NIF boundary and exhausts the native C stack.\n\nBecause the resulting stack overflow is an uncatchable SIGSEGV raised inside a NIF, it cannot be contained by the Erlang runtime. It terminates the operating system process running the BEAM, killing every Elixir and Erlang process on the node, not just the caller that triggered the render. No authentication or special privileges are required.\n\nThe vulnerable conversion code was extracted from mdex into the separate mdex_native package starting in mdex 0.12.3. This issue affects mdex from 0.3.0 before 0.12.3 and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:59.369Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-3w4f-53g2-f66p"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54888.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54888"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/947696c47bc22bea5dffc0f78c946fa6b70ce183"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uncontrolled recursion over deeply nested Markdown crashes the BEAM in mdex",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54888",
"datePublished": "2026-06-29T19:10:38.151Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-30T04:37:59.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53429 (GCVE-0-2026-53429)
Vulnerability from cvelistv5 – Published: 2026-06-29 19:07 – Updated: 2026-06-30 04:38
VLAI
EPSS
VEX
Title
Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service
Summary
Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.
The native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From<ExEscapedTag> for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.
Both the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.
Any application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53429.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53429 | related |
| https://github.com/leandrocp/mdex_native/commit/c… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
81e4d14dd3aa5b206e395c7f372b9b413793015f , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < cbd927fb5061b488de8d90a8ef6df65718ca1fe6
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53429",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T20:45:00.827777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T20:45:38.367Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "comrak_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDEx.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/1"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "81e4d14dd3aa5b206e395c7f372b9b413793015f",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/types/document.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::document_to_html_with_options"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "cbd927fb5061b488de8d90a8ef6df65718ca1fe6",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\u003cp\u003eThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each \u003ctt\u003e%MDEx.EscapedTag{}\u003c/tt\u003e node into its native representation (\u003ctt\u003eFrom\u0026lt;ExEscapedTag\u0026gt; for NodeValue\u003c/tt\u003e in the Rust NIF) calls \u003ctt\u003eBox::leak\u003c/tt\u003e on the caller-supplied \u003ctt\u003eliteral\u003c/tt\u003e string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\u003c/p\u003e\u003cp\u003eBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks \u003ctt\u003eliteral_size \u0026times; node_count\u003c/tt\u003e bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public \u003ctt\u003eMDEx.to_html/1\u003c/tt\u003e entry point and any other API that renders a supplied \u003ctt\u003e%MDEx.Document{}\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eAny application that uses \u003ctt\u003emdex\u003c/tt\u003e (or \u003ctt\u003emdex_native\u003c/tt\u003e directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/types/document.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/types/document.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Missing Release of Memory after Effective Lifetime vulnerability in leandrocp mdex and mdex_native allows an attacker who controls a rendered document to cause a denial of service through unbounded native memory exhaustion.\n\nThe native rendering code permanently leaks memory when rendering a document that contains escaped-tag nodes. The conversion of each %MDEx.EscapedTag{} node into its native representation (From\u003cExEscapedTag\u003e for NodeValue in the Rust NIF) calls Box::leak on the caller-supplied literal string, which surrenders the backing allocation so that it lives for the entire lifetime of the operating system process and is never freed.\n\nBoth the byte length of each literal and the number of escaped-tag nodes in a document are attacker-controlled, and there is no size cap, rate limit, or string interning on this path. Every render of a document containing escaped-tag nodes therefore leaks literal_size x node_count bytes that can never be reclaimed, and repeated renders accumulate without bound. Rendering reaches this path through the public MDEx.to_html/1 entry point and any other API that renders a supplied %MDEx.Document{}.\n\nAny application that uses mdex (or mdex_native directly) to render documents derived from user-supplied content is affected. Because the leaked memory is never reclaimed for the life of the BEAM process, an attacker can drive resident memory upward without limit until the node exhausts memory and crashes, taking down every process on it.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/types/document.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/types/document.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:14.140Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-cmvp-gp9f-23xw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53429.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53429"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/cbd927fb5061b488de8d90a8ef6df65718ca1fe6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded native memory leak in mdex escaped-tag rendering enables unauthenticated denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53429",
"datePublished": "2026-06-29T19:07:16.954Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:14.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53428 (GCVE-0-2026-53428)
Vulnerability from cvelistv5 – Published: 2026-06-29 18:52 – Updated: 2026-06-30 04:38
VLAI
EPSS
VEX
Title
Unbounded memory allocation in highlight_lines range expansion in mdex
Summary
Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.
comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.
A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53428.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53428 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.0 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
a8407611715d1ead35fbcba79c72cef1b7df387b , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:17:11.005816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:17:25.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "a8407611715d1ead35fbcba79c72cef1b7df387b",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_highlight_lines"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eExploitation requires the application to enable code-block decorators. Decorators are active only when the render options \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e are both set and an inline syntax-highlight formatter (for example \u003ctt\u003e{:html_inline, ...}\u003c/tt\u003e) is configured. Applications that render Markdown with the default options do not parse \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications and are not affected.\u003c/p\u003e"
}
],
"value": "Exploitation requires the application to enable code-block decorators. Decorators are active only when the render options github_pre_lang and full_info_string are both set and an inline syntax-highlight formatter (for example {:html_inline, ...}) is configured. Applications that render Markdown with the default options do not parse highlight_lines specifications and are not affected."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\u003cp\u003e\u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s \u003ctt\u003ehighlight_lines\u003c/tt\u003e decorator into a \u003ctt\u003eVec\u0026lt;usize\u0026gt;\u003c/tt\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with \u003ctt\u003eMDEx.to_html/2\u003c/tt\u003e (for example a comment, chat message, or wiki page) can embed a code block whose info string is \u003ctt\u003erust highlight_lines=\"1-100000000\"\u003c/tt\u003e, forcing the native adapter to allocate roughly 8 bytes per line in the range.\u003c/p\u003e\u003cp\u003eA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example \u003ctt\u003e1-2000000000\u003c/tt\u003e) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.\n\ncomrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block\u0027s highlight_lines decorator into a Vec\u003cusize\u003e, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines=\"1-100000000\", forcing the native adapter to allocate roughly 8 bytes per line in the range.\n\nA payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:38:36.755Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-j93q-9cvj-rxfm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53428.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53428"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded memory allocation in highlight_lines range expansion in mdex",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable code-block decorators: leave the \u003ctt\u003egithub_pre_lang\u003c/tt\u003e and \u003ctt\u003efull_info_string\u003c/tt\u003e render options unset, or avoid configuring an inline syntax-highlight formatter, so that \u003ctt\u003ehighlight_lines\u003c/tt\u003e specifications are never parsed.\u003c/p\u003e"
}
],
"value": "Do not enable code-block decorators: leave the github_pre_lang and full_info_string render options unset, or avoid configuring an inline syntax-highlight formatter, so that highlight_lines specifications are never parsed."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53428",
"datePublished": "2026-06-29T18:52:36.199Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:38:36.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53427 (GCVE-0-2026-53427)
Vulnerability from cvelistv5 – Published: 2026-06-29 18:50 – Updated: 2026-06-30 04:37
VLAI
EPSS
VEX
Title
Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.
When syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence's highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line <div>. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as '"><script>alert(1)</script>' terminates the class attribute early and the markup that follows is emitted as live HTML.
An attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.
The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.
This issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leandrocp/mdex_native/security… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53427.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53427 | related |
| https://github.com/leandrocp/mdex_native/commit/7… | patch |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| leandrocp | mdex |
Affected:
0.11.3 , < 0.12.3
(semver)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex |
Affected:
0d7ffc84ea742e1daf666426814e5bb6d0499433 , < 6ed94d905f97af188323f042698ae841c02293b4
(git)
cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
0.1.0 , < 0.2.3
(semver)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
|
| leandrocp | mdex_native |
Affected:
956528c5e31746253347029e810a969ab916fd27 , < 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3
(git)
cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T19:18:13.166991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T19:19:28.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "mdex",
"packageURL": "pkg:hex/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.12.3",
"status": "affected",
"version": "0.11.3",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDEx\u0027",
"comrak_nif"
],
"packageName": "leandrocp/mdex",
"packageURL": "pkg:github/leandrocp/mdex",
"product": "mdex",
"programFiles": [
"native/comrak_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "comrak_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDEx\u0027:to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "6ed94d905f97af188323f042698ae841c02293b4",
"status": "affected",
"version": "0d7ffc84ea742e1daf666426814e5bb6d0499433",
"versionType": "git"
}
]
},
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "mdex_native",
"packageURL": "pkg:hex/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "0.2.3",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.MDExNative.Comrak\u0027",
"mdex_native_nif"
],
"packageName": "leandrocp/mdex_native",
"packageURL": "pkg:github/leandrocp/mdex_native",
"product": "mdex_native",
"programFiles": [
"native/mdex_native_nif/src/lumis_adapter.rs"
],
"programRoutines": [
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::parse_custom_attributes"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::highlight_lines_config"
},
{
"name": "mdex_native_nif::lumis_adapter::LumisAdapter::write_highlighted"
},
{
"name": "\u0027Elixir.MDExNative.Native\u0027:document_to_html_with_options/2"
},
{
"name": "\u0027Elixir.MDExNative.Comrak\u0027:document_to_html/2"
}
],
"repo": "https://github.com/leandrocp/mdex_native",
"vendor": "leandrocp",
"versions": [
{
"lessThan": "798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3",
"status": "affected",
"version": "956528c5e31746253347029e810a969ab916fd27",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example \u003ctt\u003esyntax_highlight: [formatter: {:html_inline, ...}]\u003c/tt\u003e or \u003ctt\u003e{:html_linked, ...}\u003c/tt\u003e) and with full info-string forwarding enabled (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e). Full info-string forwarding is required for comrak to hand the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled.\u003c/p\u003e"
}
],
"value": "The vulnerable code path is only reachable when MDEx is configured with a syntax-highlighting formatter (for example syntax_highlight: [formatter: {:html_inline, ...}] or {:html_linked, ...}) and with full info-string forwarding enabled (render: [full_info_string: true]). Full info-string forwarding is required for comrak to hand the highlight_lines_class attribute to the highlighter, so any application that uses the line-highlighting attributes already has it enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.12.3",
"versionStartIncluding": "0.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:leandrocp:mdex_native:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.2.3",
"versionStartIncluding": "0.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Leandro Pereira"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\u003c/p\u003e\u003cp\u003eWhen syntax highlighting and full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) are enabled, the Lumis adapter copies the value of a code fence\u0027s \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e info-string attribute, unescaped, into the \u003ctt\u003eclass\u003c/tt\u003e attribute of every rendered line. \u003ctt\u003ecomrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes\u003c/tt\u003e in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e shlex-parses the info string and stores each \u003ctt\u003ekey=value\u003c/tt\u003e pair verbatim, \u003ctt\u003ehighlight_lines_config\u003c/tt\u003e pulls \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e into the per-line class value, and \u003ctt\u003ewrite_highlighted\u003c/tt\u003e interpolates that value directly into the \u003ctt\u003eclass\u003c/tt\u003e attribute of the per-line \u003ctt\u003e\u0026lt;div\u0026gt;\u003c/tt\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u003ctt\u003e\u0027\u0026quot;\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0027\u003c/tt\u003e terminates the \u003ctt\u003eclass\u003c/tt\u003e attribute early and the markup that follows is emitted as live HTML.\u003c/p\u003e\u003cp\u003eAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\u003c/p\u003e\u003cp\u003eThe vulnerable native code originally shipped inside \u003ctt\u003emdex\u003c/tt\u003e (in \u003ctt\u003enative/comrak_nif/src/lumis_adapter.rs\u003c/tt\u003e) and was later extracted into the separate \u003ctt\u003emdex_native\u003c/tt\u003e package (\u003ctt\u003enative/mdex_native_nif/src/lumis_adapter.rs\u003c/tt\u003e), where it remains unpatched.\u003c/p\u003e\u003cp\u003eThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in leandrocp MDEx allows stored or reflected cross-site scripting via attacker-controlled Markdown.\n\nWhen syntax highlighting and full info-string forwarding (render: [full_info_string: true]) are enabled, the Lumis adapter copies the value of a code fence\u0027s highlight_lines_class info-string attribute, unescaped, into the class attribute of every rendered line. comrak_nif::lumis_adapter::LumisAdapter::parse_custom_attributes in native/comrak_nif/src/lumis_adapter.rs shlex-parses the info string and stores each key=value pair verbatim, highlight_lines_config pulls highlight_lines_class into the per-line class value, and write_highlighted interpolates that value directly into the class attribute of the per-line \u003cdiv\u003e. A single-quoted shell token preserves an inner double quote through shlex parsing, so a value such as \u0027\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u0027 terminates the class attribute early and the markup that follows is emitted as live HTML.\n\nAn attacker who can submit Markdown (through comments, posts, wiki pages, documentation, or any user-generated content) can inject arbitrary HTML and JavaScript that runs in the browser of every user who views the rendered output, enabling session theft, account takeover, and other client-side attacks. No authentication or special privileges are required.\n\nThe vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.\n\nThis issue affects mdex from 0.11.3 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T04:37:51.902Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/leandrocp/mdex_native/security/advisories/GHSA-v664-pmxr-mxxx"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53427.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53427"
},
{
"tags": [
"patch"
],
"url": "https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDo not enable full info-string forwarding (\u003ctt\u003erender: [full_info_string: true]\u003c/tt\u003e) when rendering untrusted Markdown, which prevents the \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e attribute from reaching the highlighter. Alternatively, restrict \u003ctt\u003ehighlight_lines_class\u003c/tt\u003e values to a safe character set (for example \u003ctt\u003e[A-Za-z0-9_- ]\u003c/tt\u003e) before rendering.\u003c/p\u003e"
}
],
"value": "Do not enable full info-string forwarding (render: [full_info_string: true]) when rendering untrusted Markdown, which prevents the highlight_lines_class attribute from reaching the highlighter. Alternatively, restrict highlight_lines_class values to a safe character set (for example [A-Za-z0-9_- ]) before rendering."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53427",
"datePublished": "2026-06-29T18:50:17.185Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-30T04:37:51.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55736 (GCVE-0-2026-55736)
Vulnerability from cvelistv5 – Published: 2026-06-23 18:21 – Updated: 2026-07-10 04:34
VLAI
EPSS
VEX
Title
Private action arguments can be set by user input in Ash
Summary
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.
Action arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.
In the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.
An attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.
This issue affects ash: from 3.0.0 before 3.29.3.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ash-project/ash/security/advis… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-55736.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-55736 | related |
| https://github.com/ash-project/ash/commit/d9b3100… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ash-project | ash |
Affected:
3.0.0 , < 3.29.3
(semver)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
|
| ash-project | ash |
Affected:
5967ed3a483ab949866e6d7b043b043e61703f17 , < d9b3100219b3ea86d73202bf7368c03a7688efea
(git)
cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55736",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:53:04.134939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:53:33.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Ash.Changeset\u0027"
],
"packageName": "ash",
"packageURL": "pkg:hex/ash",
"product": "ash",
"programFiles": [
"lib/ash/changeset/changeset.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
},
{
"name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
},
{
"name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
},
{
"name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "3.29.3",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Ash.Changeset\u0027"
],
"packageName": "ash-project/ash",
"packageURL": "pkg:github/ash-project/ash",
"product": "ash",
"programFiles": [
"lib/ash/changeset/changeset.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Ash.Changeset\u0027:cast_params/4"
},
{
"name": "\u0027Elixir.Ash.Changeset\u0027:get_action_argument/2"
},
{
"name": "\u0027Elixir.Ash.Changeset\u0027:atomic_params/4"
},
{
"name": "\u0027Elixir.Ash.Changeset\u0027:has_argument?/2"
}
],
"repo": "https://github.com/ash-project/ash",
"vendor": "ash-project",
"versions": [
{
"lessThan": "d9b3100219b3ea86d73202bf7368c03a7688efea",
"status": "affected",
"version": "5967ed3a483ab949866e6d7b043b043e61703f17",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn action must declare a private argument (one defined with \u003ctt\u003epublic?: false\u003c/tt\u003e) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into \u003ctt\u003eAsh.Changeset.for_create/3\u003c/tt\u003e, \u003ctt\u003efor_update/3\u003c/tt\u003e, \u003ctt\u003efor_destroy/3\u003c/tt\u003e, or into an atomic or bulk update.\u003c/p\u003e"
}
],
"value": "An action must declare a private argument (one defined with public?: false) whose value is meant to be set only by trusted server-side code, and the application must build the changeset from untrusted user-supplied parameters, passing them straight into Ash.Changeset.for_create/3, for_update/3, for_destroy/3, or into an atomic or bulk update."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ash-project:ash:*:*:*:*:*:*:*:*",
"versionEndExcluding": "3.29.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alfred Vi\u00e9"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Zach Daniel"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\u003cp\u003eAction arguments declared with \u003ctt\u003epublic?: false\u003c/tt\u003e are meant to be set internally (for example via \u003ctt\u003eAsh.Changeset.set_private_argument/3\u003c/tt\u003e) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\u003c/p\u003e\u003cp\u003eIn the regular changeset path (\u003ctt\u003efor_create\u003c/tt\u003e, \u003ctt\u003efor_update\u003c/tt\u003e, \u003ctt\u003efor_destroy\u003c/tt\u003e), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (\u003ctt\u003eAsh.Changeset.fully_atomic_changeset/4\u003c/tt\u003e, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\u003c/p\u003e\u003cp\u003eAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an \u003ctt\u003eacting_user_id\u003c/tt\u003e driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\u003c/p\u003e\u003cp\u003eThis issue affects ash: from 3.0.0 before 3.29.3.\u003c/p\u003e"
}
],
"value": "Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code.\n\nAction arguments declared with public?: false are meant to be set internally (for example via Ash.Changeset.set_private_argument/3) and must not be settable from end-user input. When a changeset is built from a parameter map, Ash filters out private arguments, but the filtering is incomplete.\n\nIn the regular changeset path (for_create, for_update, for_destroy), private arguments are stripped only when the parameter key is an atom. When the key is a binary (string), as is the case for user-supplied parameters, the private argument is kept and the user controls its value. In the atomic path (Ash.Changeset.fully_atomic_changeset/4, also reached through atomic and bulk updates), private arguments are not stripped at all, regardless of whether the key is an atom or a binary.\n\nAn attacker who can submit parameters to an action that defines a private argument can therefore inject a value for that argument. Depending on how the application uses the argument (for example an acting_user_id driving authorization or record ownership), this can lead to an integrity violation or privilege escalation.\n\nThis issue affects ash: from 3.0.0 before 3.29.3."
}
],
"impacts": [
{
"capecId": "CAPEC-77",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-77 Manipulating User-Controlled Variables"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T04:34:23.070Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/ash-project/ash/security/advisories/GHSA-f4hc-ppw9-4hhw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-55736.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-55736"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ash-project/ash/commit/d9b3100219b3ea86d73202bf7368c03a7688efea"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Private action arguments can be set by user input in Ash",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-55736",
"datePublished": "2026-06-23T18:21:13.033Z",
"dateReserved": "2026-06-17T10:44:34.365Z",
"dateUpdated": "2026-07-10T04:34:23.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54892 (GCVE-0-2026-54892)
Vulnerability from cvelistv5 – Published: 2026-06-23 12:31 – Updated: 2026-06-23 18:21
VLAI
EPSS
VEX
Title
Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Summary
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.
With the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.
This vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.
This issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-plug | plug |
Affected:
1.15.0 , < 1.15.5
(semver)
Affected: 1.16.0 , < 1.16.4 (semver) Affected: 1.17.0 , < 1.17.2 (semver) Affected: 1.18.0 , < 1.18.3 (semver) Affected: 1.19.0 , < 1.19.3 (semver) cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
|
| elixir-plug | plug |
Affected:
712b875d3442c765d8d37e546ffd5ad9f8afcc55 , < *
(git)
cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54892",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T13:03:58.893269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T13:04:27.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Query\u0027"
],
"packageName": "plug",
"packageURL": "pkg:hex/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/query.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"lessThan": "1.15.5",
"status": "affected",
"version": "1.15.0",
"versionType": "semver"
},
{
"lessThan": "1.16.4",
"status": "affected",
"version": "1.16.0",
"versionType": "semver"
},
{
"lessThan": "1.17.2",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
},
{
"lessThan": "1.18.3",
"status": "affected",
"version": "1.18.0",
"versionType": "semver"
},
{
"lessThan": "1.19.3",
"status": "affected",
"version": "1.19.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Plug.Conn.Query\u0027"
],
"packageName": "elixir-plug/plug",
"packageURL": "pkg:github/elixir-plug/plug",
"product": "plug",
"programFiles": [
"lib/plug/conn/query.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode/4"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:decode_each/2"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:split_keys/6"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:insert_keys/3"
},
{
"name": "\u0027Elixir.Plug.Conn.Query\u0027:finalize_pointer/2"
}
],
"repo": "https://github.com/elixir-plug/plug",
"vendor": "elixir-plug",
"versions": [
{
"changes": [
{
"at": "c317d08fdcf96e17931f7419275b2b8c4bf3e951",
"status": "unaffected"
},
{
"at": "9c5d37c440eaae92869eed7c014c47266744fadb",
"status": "unaffected"
},
{
"at": "d737eb236f17e31a36290e39f9ef3cd86a1343bd",
"status": "unaffected"
},
{
"at": "d4e5568392a4b29e545b91e12e87d6098f976145",
"status": "unaffected"
},
{
"at": "a61124aa625d819a218fb07f90afbac8aa85eb0e",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "712b875d3442c765d8d37e546ffd5ad9f8afcc55",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.15.5",
"versionStartIncluding": "1.15.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.16.4",
"versionStartIncluding": "1.16.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.17.2",
"versionStartIncluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.18.3",
"versionStartIncluding": "1.18.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.19.3",
"versionStartIncluding": "1.19.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Braidon Whatley"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jos\u00e9 Valim"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e (and \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e) parse query strings and \u003ctt\u003eapplication/x-www-form-urlencoded\u003c/tt\u003e request bodies. When a key contains many bracketed segments such as \u003ctt\u003ea[a][a][a]=1\u003c/tt\u003e, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\u003c/p\u003e\u003cp\u003eWith the default \u003ctt\u003ePlug.Parsers.URLENCODED\u003c/tt\u003e body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/plug/conn/query.ex\u003c/tt\u003e and program routines \u003ctt\u003ePlug.Conn.Query.decode/4\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.decode_each/2\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.split_keys/6\u003c/tt\u003e, \u003ctt\u003ePlug.Conn.Query.insert_keys/3\u003c/tt\u003e, and \u003ctt\u003ePlug.Conn.Query.finalize_pointer/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3.\u003c/p\u003e"
}
],
"value": "Inefficient algorithmic complexity in Plug\u0027s nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 (and Plug.Conn.Query.decode_each/2) parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many bracketed segments such as a[a][a][a]=1, the decoder walks the brackets and, for each of the N levels, performs a map operation keyed on an ever-growing binary prefix of the key, hashing the full byte range at each step. The total decode cost is therefore quadratic in the number of nesting levels.\n\nWith the default Plug.Parsers.URLENCODED body limit of 1,000,000 bytes, a single request can carry roughly 333,000 nesting levels and saturate a BEAM scheduler for minutes. A small number of concurrent requests can saturate all schedulers and render a Plug-based server unresponsive. No authentication or knowledge of application routes is required.\n\nThis vulnerability is associated with program files lib/plug/conn/query.ex and program routines Plug.Conn.Query.decode/4, Plug.Conn.Query.decode_each/2, Plug.Conn.Query.split_keys/6, Plug.Conn.Query.insert_keys/3, and Plug.Conn.Query.finalize_pointer/2.\n\nThis issue affects plug from 1.15.0 before 1.15.5, 1.16.4, 1.17.2, 1.18.3, and 1.19.3."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T18:21:14.232Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-plug/plug/security/advisories/GHSA-j43x-5hjq-rgxf"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-54892.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-54892"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/c317d08fdcf96e17931f7419275b2b8c4bf3e951"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/9c5d37c440eaae92869eed7c014c47266744fadb"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d737eb236f17e31a36290e39f9ef3cd86a1343bd"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/d4e5568392a4b29e545b91e12e87d6098f976145"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-plug/plug/commit/a61124aa625d819a218fb07f90afbac8aa85eb0e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Plug: quadratic-time decoding of nested query/body parameters enables denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-54892",
"datePublished": "2026-06-23T12:31:12.629Z",
"dateReserved": "2026-06-16T10:47:13.915Z",
"dateUpdated": "2026-06-23T18:21:14.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48591 (GCVE-0-2026-48591)
Vulnerability from cvelistv5 – Published: 2026-06-17 16:42 – Updated: 2026-06-18 04:45
VLAI
EPSS
VEX
Title
Stored XSS via unescaped HTML attribute values in earmark
Summary
Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.
'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as ", but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as <a href="http://example.com/?a=x" onerror="alert(1)">click</a>, executing arbitrary JavaScript in the victim's browser.
The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.
This issue affects earmark from 1.4.1 onward.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cna.erlef.org/cves/CVE-2026-48591.html | relatedthird-party-advisory |
| https://osv.dev/vulnerability/EEF-CVE-2026-48591 | related |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T18:25:40.841347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T18:25:55.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Earmark.Transform\u0027"
],
"packageName": "earmark",
"packageURL": "pkg:hex/earmark",
"product": "earmark",
"programFiles": [
"lib/earmark/transform.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Earmark.Transform\u0027:_make_att1/2"
}
],
"repo": "https://github.com/pragdave/earmark",
"vendor": "pragdave",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.4.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Earmark.Transform\u0027"
],
"packageName": "pragdave/earmark",
"packageURL": "pkg:github/pragdave/earmark",
"product": "earmark",
"programFiles": [
"lib/earmark/transform.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Earmark.Transform\u0027:_make_att1/2"
}
],
"repo": "https://github.com/pragdave/earmark",
"vendor": "pragdave",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8236a0570bd894b50e360da08131ec3294c20799",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pragdave:earmark:*:*:*:*:*:*:*:*",
"versionStartIncluding": "1.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Robert Dober"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.Earmark.Transform\u0027:_make_att1/2\u003c/tt\u003e in \u003ctt\u003elib/earmark/transform.ex\u003c/tt\u003e splices attribute values verbatim between two literal \u003ctt\u003e\"\u003c/tt\u003e bytes: \u003ctt\u003e[\" \", name, \"=\\\"\" , value, \"\\\"\"]\u003c/tt\u003e. Text nodes are routed through the existing escape function which encodes \u003ctt\u003e\"\u003c/tt\u003e as \u003ctt\u003e\u0026amp;quot;\u003c/tt\u003e, but attribute values never visit that path. A markdown link whose URL or title contains a bare \u003ctt\u003e\"\u003c/tt\u003e closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, \u003ctt\u003e[click](http://example.com/?a=x\" onerror=\"alert(1))\u003c/tt\u003e renders as \u003ctt\u003e\u0026lt;a href=\"http://example.com/?a=x\" onerror=\"alert(1)\"\u0026gt;click\u0026lt;/a\u0026gt;\u003c/tt\u003e, executing arbitrary JavaScript in the victim\u0027s browser.\u003c/p\u003e\u003cp\u003eThe earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.\u003c/p\u003e\u003cp\u003eThis issue affects earmark from 1.4.1 onward.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.\n\n\u0027Elixir.Earmark.Transform\u0027:_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal \" bytes: [\" \", name, \"=\\\"\", value, \"\\\"\"]. Text nodes are routed through the existing escape function which encodes \" as \u0026quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare \" closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x\" onerror=\"alert(1)) renders as \u003ca href=\"http://example.com/?a=x\" onerror=\"alert(1)\"\u003eclick\u003c/a\u003e, executing arbitrary JavaScript in the victim\u0027s browser.\n\nThe earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.\n\nThis issue affects earmark from 1.4.1 onward."
}
],
"impacts": [
{
"capecId": "CAPEC-243",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-243 XSS Targeting HTML Attributes"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-83",
"description": "CWE-83 Improper Neutralization of Script in Attributes in a Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T04:45:59.864Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"related",
"third-party-advisory"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48591.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48591"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS via unescaped HTML attribute values in earmark",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMigrate to a maintained Markdown library such as \u003ca href=\"https://hex.pm/packages/mdex\"\u003eMDEx\u003c/a\u003e. The earmark package has been retired on Hex and no patched release will be made.\u003c/p\u003e"
}
],
"value": "Migrate to a maintained Markdown library such as MDEx (https://hex.pm/packages/mdex). The earmark package has been retired on Hex and no patched release will be made."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48591",
"datePublished": "2026-06-17T16:42:37.508Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-18T04:45:59.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48853 (GCVE-0-2026-48853)
Vulnerability from cvelistv5 – Published: 2026-06-15 21:56 – Updated: 2026-06-17 04:47
VLAI
EPSS
VEX
Title
Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc
Summary
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.
'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.
This issue affects grpc from 0.4.0 before 1.0.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-grpc/grpc/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48853.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48853 | related |
| https://github.com/elixir-grpc/grpc/commit/272a97… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-grpc | grpc |
Affected:
0.4.0 , < 1.0.0
(semver)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
|
| elixir-grpc | grpc |
Affected:
25bcc569fe2cc4478531a6c546c923205fc751c9 , < 272a97a5ea1b46af1819f14a831fcf35fc91f992
(git)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48853",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T14:44:19.175606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:45:02.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-grp7-v8xh-rj7h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Codec.Erlpack\u0027"
],
"packageName": "grpc",
"packageURL": "pkg:hex/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/codec/erlpack.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "1.0.0",
"status": "affected",
"version": "0.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Codec.Erlpack\u0027"
],
"packageName": "elixir-grpc/grpc",
"packageURL": "pkg:github/elixir-grpc/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/codec/erlpack.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "272a97a5ea1b46af1819f14a831fcf35fc91f992",
"status": "affected",
"version": "25bcc569fe2cc4478531a6c546c923205fc751c9",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctt\u003eGRPC.Codec.Erlpack\u003c/tt\u003e must be explicitly registered as a codec on the gRPC server."
}
],
"value": "GRPC.Codec.Erlpack must be explicitly registered as a codec on the gRPC server."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.0",
"versionStartIncluding": "0.4.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Paulo Valente"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2\u003c/tt\u003e (\u003ctt\u003elib/grpc/codec/erlpack.ex\u003c/tt\u003e) calls \u003ctt\u003e:erlang.binary_to_term/1\u003c/tt\u003e on the raw gRPC message body without the \u003ctt\u003e:safe\u003c/tt\u003e option, no size bound, and no type guard. Any unauthenticated peer that sends a request with \u003ctt\u003eContent-Type: application/grpc+erlpack\u003c/tt\u003e can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.\u003c/p\u003e\u003cp\u003eThis issue affects grpc from 0.4.0 before 1.0.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.\n\n\u0027Elixir.GRPC.Codec.Erlpack\u0027:decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.\n\nThis issue affects grpc from 0.4.0 before 1.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
},
{
"capecId": "CAPEC-231",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-231 Oversized Serialized Data Payloads"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T04:47:30.147Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-grp7-v8xh-rj7h"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48853.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48853"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-grpc/grpc/commit/272a97a5ea1b46af1819f14a831fcf35fc91f992"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48853",
"datePublished": "2026-06-15T21:56:15.262Z",
"dateReserved": "2026-05-25T20:44:10.696Z",
"dateUpdated": "2026-06-17T04:47:30.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53430 (GCVE-0-2026-53430)
Vulnerability from cvelistv5 – Published: 2026-06-15 21:55 – Updated: 2026-06-17 04:46
VLAI
EPSS
VEX
Title
grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.
This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2.
'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.
This issue affects grpc: from 0.4.0 before 1.0.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-grpc/grpc/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53430.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53430 | related |
| https://github.com/elixir-grpc/grpc/commit/1afbab… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-grpc | grpc |
Affected:
0.4.0 , < 1.0.0
(semver)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
|
| elixir-grpc | grpc |
Affected:
beae6800fc8baf126f3fe7107d86a50e105275ba , < 1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc
(git)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53430",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T14:42:39.467618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:43:11.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://hex.pm",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Compressor.Gzip\u0027",
"\u0027Elixir.GRPC.Message\u0027"
],
"packageName": "grpc",
"packageURL": "pkg:hex/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/compressor/gzip.ex",
"lib/grpc/message.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1"
},
{
"name": "\u0027Elixir.GRPC.Message\u0027:from_data/2"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "1.0.0",
"status": "affected",
"version": "0.4.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Compressor.Gzip\u0027",
"\u0027Elixir.GRPC.Message\u0027"
],
"packageName": "elixir-grpc/grpc",
"packageURL": "pkg:github/elixir-grpc/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/compressor/gzip.ex",
"lib/grpc/message.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1"
},
{
"name": "\u0027Elixir.GRPC.Message\u0027:from_data/2"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc",
"status": "affected",
"version": "beae6800fc8baf126f3fe7107d86a50e105275ba",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.0",
"versionStartIncluding": "0.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Paulo Valente"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (\u003ctt\u003eGRPC.Compressor.Gzip\u003c/tt\u003e, \u003ctt\u003eGRPC.Message\u003c/tt\u003e modules) allows a denial of service via a gzip decompression bomb.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/grpc/compressor/gzip.ex\u003c/tt\u003e, \u003ctt\u003elib/grpc/message.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1\u003c/tt\u003e, \u003ctt\u003e\u0027Elixir.GRPC.Message\u0027:from_data/2\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1\u003c/tt\u003e calls \u003ctt\u003e:zlib.gunzip/1\u003c/tt\u003e directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip \u003ctt\u003eGRPC.Compressor\u003c/tt\u003e implementation, it is invoked automatically whenever an incoming gRPC frame carries the \u003ctt\u003egrpc-encoding: gzip\u003c/tt\u003e header. \u003ctt\u003e:zlib.gunzip/1\u003c/tt\u003e allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The \u003ctt\u003emax_receive_message_length\u003c/tt\u003e limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node\u0027s heap and trigger an out-of-memory kill.\u003c/p\u003e\u003cp\u003eThis issue affects grpc: from 0.4.0 before 1.0.0.\u003c/p\u003e"
}
],
"value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.\n\nThis vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines \u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1, \u0027Elixir.GRPC.Message\u0027:from_data/2.\n\n\u0027Elixir.GRPC.Compressor.Gzip\u0027:decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node\u0027s heap and trigger an out-of-memory kill.\n\nThis issue affects grpc: from 0.4.0 before 1.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T04:46:39.180Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-6ccx-9c9f-327w"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53430.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53430"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-grpc/grpc/commit/1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53430",
"datePublished": "2026-06-15T21:55:33.707Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-17T04:46:39.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48599 (GCVE-0-2026-48599)
Vulnerability from cvelistv5 – Published: 2026-06-15 21:55 – Updated: 2026-06-17 04:46
VLAI
EPSS
VEX
Title
Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding
Summary
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.
In 'Elixir.GRPC.Server.Transcode':map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {"user_id": "victim"} when body: "*") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed.
This issue affects grpc from 0.8.0 before 1.0.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-grpc/grpc/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48599.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48599 | related |
| https://github.com/elixir-grpc/grpc/commit/33b6a0… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-grpc | grpc |
Affected:
0.8.0 , < 1.0.0
(semver)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
|
| elixir-grpc | grpc |
Affected:
8aaf3d3a8c4c7b08ac65e9c6f254e0d24da1d048 , < 33b6a095dbc91c6dee3c7b90893d7d74952e82e4
(git)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48599",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T14:45:46.288762Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:46:09.673Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-mwr4-5g34-j5cq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Server.Transcode\u0027"
],
"packageName": "grpc",
"packageURL": "pkg:hex/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/server/transcode.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "1.0.0",
"status": "affected",
"version": "0.8.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Server.Transcode\u0027"
],
"packageName": "elixir-grpc/grpc",
"packageURL": "pkg:github/elixir-grpc/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/server/transcode.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "33b6a095dbc91c6dee3c7b90893d7d74952e82e4",
"status": "affected",
"version": "8aaf3d3a8c4c7b08ac65e9c6f254e0d24da1d048",
"versionType": "git"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HTTP-to-gRPC transcoding must be enabled."
}
],
"value": "HTTP-to-gRPC transcoding must be enabled."
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.0",
"versionStartIncluding": "0.8.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Paulo Valente"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuthorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.\u003c/p\u003e\u003cp\u003eIn \u003ctt\u003e\u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5\u003c/tt\u003e (\u003ctt\u003elib/grpc/server/transcode.ex\u003c/tt\u003e), all three clauses use \u003ctt\u003eMap.merge/2\u003c/tt\u003e with path bindings as the first argument, giving them the lowest merge precedence. A request such as \u003ctt\u003eGET /users/me/profile?user_id=victim\u003c/tt\u003e (or a POST with \u003ctt\u003e{\"user_id\": \"victim\"}\u003c/tt\u003e when \u003ctt\u003ebody: \"*\"\u003c/tt\u003e) yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed.\u003c/p\u003e\u003cp\u003eThis issue affects grpc from 0.8.0 before 1.0.0.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body.\n\nIn \u0027Elixir.GRPC.Server.Transcode\u0027:map_request/5 (lib/grpc/server/transcode.ex), all three clauses use Map.merge/2 with path bindings as the first argument, giving them the lowest merge precedence. A request such as GET /users/me/profile?user_id=victim (or a POST with {\"user_id\": \"victim\"} when body: \"*\") yields a decoded protobuf struct where the path-bound field carries the attacker-supplied value rather than the router-extracted value. Any handler that uses the path-bound field for authorization, multi-tenancy scoping, or ownership checks is silently bypassed.\n\nThis issue affects grpc from 0.8.0 before 1.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-460",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-460 HTTP Parameter Pollution (HPP)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T04:46:32.876Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-mwr4-5g34-j5cq"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48599.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48599"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-grpc/grpc/commit/33b6a095dbc91c6dee3c7b90893d7d74952e82e4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authorization bypass via path binding override in elixir-grpc/grpc HTTP transcoding",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48599",
"datePublished": "2026-06-15T21:55:28.702Z",
"dateReserved": "2026-05-22T09:36:56.834Z",
"dateUpdated": "2026-06-17T04:46:32.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48854 (GCVE-0-2026-48854)
Vulnerability from cvelistv5 – Published: 2026-06-15 21:55 – Updated: 2026-06-17 04:46
VLAI
EPSS
VEX
Title
Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc
Summary
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body.
'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.
This issue affects grpc from 0.3.1 before 1.0.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/elixir-grpc/grpc/security/advi… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48854.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48854 | related |
| https://github.com/elixir-grpc/grpc/commit/49e18c… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| elixir-grpc | grpc |
Affected:
0.3.1 , < 1.0.0
(semver)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
|
| elixir-grpc | grpc |
Affected:
d1abe70a6cad6dac4a3f8235d883d7c896989560 , < 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00
(git)
cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48854",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T14:47:02.881535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T14:47:28.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027"
],
"packageName": "grpc",
"packageURL": "pkg:hex/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/server/adapters/cowboy/handler.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "1.0.0",
"status": "affected",
"version": "0.3.1",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027"
],
"packageName": "elixir-grpc/grpc",
"packageURL": "pkg:github/elixir-grpc/grpc",
"product": "grpc",
"programFiles": [
"lib/grpc/server/adapters/cowboy/handler.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3"
}
],
"repo": "https://github.com/elixir-grpc/grpc",
"vendor": "elixir-grpc",
"versions": [
{
"lessThan": "49e18c3ec6bb9afe2f712caad3dbab5c56a68a00",
"status": "affected",
"version": "d1abe70a6cad6dac4a3f8235d883d7c896989560",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.0.0",
"versionStartIncluding": "0.3.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Paulo Valente"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM\u0027s memory and crash the server by streaming a large or slow-trickle unary request body.\u003c/p\u003e\u003cp\u003e\u003ctt\u003e\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3\u003c/tt\u003e (\u003ctt\u003elib/grpc/server/adapters/cowboy/handler.ex\u003c/tt\u003e) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the \u003ctt\u003egrpc-timeout\u003c/tt\u003e header, the per-chunk read timeout resolves to \u003ctt\u003e:infinity\u003c/tt\u003e, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.\u003c/p\u003e\u003cp\u003eThis issue affects grpc from 0.3.1 before 1.0.0.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM\u0027s memory and crash the server by streaming a large or slow-trickle unary request body.\n\n\u0027Elixir.GRPC.Server.Adapters.Cowboy.Handler\u0027:read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.\n\nThis issue affects grpc from 0.3.1 before 1.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-231",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-231 Oversized Serialized Data Payloads"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T04:46:27.584Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48854.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48854"
},
{
"tags": [
"patch"
],
"url": "https://github.com/elixir-grpc/grpc/commit/49e18c3ec6bb9afe2f712caad3dbab5c56a68a00"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48854",
"datePublished": "2026-06-15T21:55:23.629Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-17T04:46:27.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49757 (GCVE-0-2026-49757)
Vulnerability from cvelistv5 – Published: 2026-06-15 10:07 – Updated: 2026-06-15 14:14
VLAI
EPSS
VEX
Title
OAuth2/OIDC account takeover in AshAuthentication via email-based user matching
Summary
Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.
AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core §5.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.
A provider login presenting a victim's email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim's existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim's email (or who benefits from provider-side email reuse or reclamation) obtains the victim's full local privileges.
The fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider's email_verified claim is trusted (trust_email_verified?).
This issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/team-alembic/ash_authenticatio… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-49757.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-49757 | related |
| https://github.com/team-alembic/ash_authenticatio… | patch |
| https://github.com/team-alembic/ash_authenticatio… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| team-alembic | ash_authentication |
Affected:
0.1.0 , < 4.14.0
(semver)
Affected: 5.0.0-rc.0 , < 5.0.0-rc.10 (semver) cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:* |
|
| team-alembic | ash_authentication |
Affected:
c5f589058e04239263f50a1430eb17ea6d5dd1a2 , < *
(git)
cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49757",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T12:35:13.009558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T12:35:41.459Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027",
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027"
],
"packageName": "ash_authentication",
"packageURL": "pkg:hex/ash_authentication",
"product": "ash_authentication",
"programFiles": [
"lib/ash_authentication/strategies/oauth2/identity_change.ex",
"lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3"
},
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3"
}
],
"repo": "https://github.com/team-alembic/ash_authentication",
"vendor": "team-alembic",
"versions": [
{
"lessThan": "4.14.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
},
{
"lessThan": "5.0.0-rc.10",
"status": "affected",
"version": "5.0.0-rc.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027",
"\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027"
],
"packageName": "team-alembic/ash_authentication",
"packageURL": "pkg:github/team-alembic/ash_authentication",
"product": "ash_authentication",
"programFiles": [
"lib/ash_authentication/strategies/oauth2/identity_change.ex",
"lib/ash_authentication/strategies/oauth2/sign_in_preparation.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.IdentityChange\u0027:change/3"
},
{
"name": "\u0027Elixir.AshAuthentication.Strategy.OAuth2.SignInPreparation\u0027:prepare/3"
}
],
"repo": "https://github.com/team-alembic/ash_authentication.git",
"vendor": "team-alembic",
"versions": [
{
"changes": [
{
"at": "728b8d28c1b5f465fa1116ef044a815300fc733d",
"status": "unaffected"
},
{
"at": "64530644f9b37ebb76ca14aeb83a77597a0034b7",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "c5f589058e04239263f50a1430eb17ea6d5dd1a2",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.0",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:team-alembic:ash_authentication:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.0.0-rc.10",
"versionStartIncluding": "5.0.0-rc.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jarl Andr\u00e9 H\u00fcbenthal"
},
{
"lang": "en",
"type": "remediation developer",
"value": "James Harton"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\u003cp\u003eAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e claim combination. Per OpenID Connect Core \u00a75.7, only \u003ctt\u003eiss\u003c/tt\u003e/\u003ctt\u003esub\u003c/tt\u003e uniquely and stably identifies an end-user; other claims, including \u003ctt\u003eemail\u003c/tt\u003e, MUST NOT be used as unique identifiers.\u003c/p\u003e\u003cp\u003eA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with \u003ctt\u003eemail_verified: false\u003c/tt\u003e, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\u003c/p\u003e\u003cp\u003eThe fix resolves users by the \u003ctt\u003e(strategy, sub)\u003c/tt\u003e identity stored in a user identity resource, and only links a new \u003ctt\u003esub\u003c/tt\u003e to an existing local account by email when the provider\u0027s \u003ctt\u003eemail_verified\u003c/tt\u003e claim is trusted (\u003ctt\u003etrust_email_verified?\u003c/tt\u003e).\u003c/p\u003e\u003cp\u003eThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10.\u003c/p\u003e"
}
],
"value": "Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in.\n\nAshAuthentication\u0027s OAuth2 and OIDC family strategies matched the local user by email address (an upsert on the email field, or a user-defined sign-in filter) rather than by the OpenID Connect iss/sub claim combination. Per OpenID Connect Core \u00a75.7, only iss/sub uniquely and stably identifies an end-user; other claims, including email, MUST NOT be used as unique identifiers.\n\nA provider login presenting a victim\u0027s email, including an unverified email, a reused email, or an account with email_verified: false, resolved to and signed in as the victim\u0027s existing local account. An unauthenticated attacker who can register an account on any accepted OAuth provider with the victim\u0027s email (or who benefits from provider-side email reuse or reclamation) obtains the victim\u0027s full local privileges.\n\nThe fix resolves users by the (strategy, sub) identity stored in a user identity resource, and only links a new sub to an existing local account by email when the provider\u0027s email_verified claim is trusted (trust_email_verified?).\n\nThis issue affects ash_authentication from 0.1.0 before 4.14.0 and from 5.0.0-rc.0 before 5.0.0-rc.10."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T14:14:37.882Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-777c-2fxx-qr28"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-49757.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-49757"
},
{
"tags": [
"patch"
],
"url": "https://github.com/team-alembic/ash_authentication/commit/728b8d28c1b5f465fa1116ef044a815300fc733d"
},
{
"tags": [
"patch"
],
"url": "https://github.com/team-alembic/ash_authentication/commit/64530644f9b37ebb76ca14aeb83a77597a0034b7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OAuth2/OIDC account takeover in AshAuthentication via email-based user matching",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-49757",
"datePublished": "2026-06-15T10:07:17.781Z",
"dateReserved": "2026-06-01T13:45:22.449Z",
"dateUpdated": "2026-06-15T14:14:37.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53423 (GCVE-0-2026-53423)
Vulnerability from cvelistv5 – Published: 2026-06-11 10:44 – Updated: 2026-06-12 04:45
VLAI
EPSS
VEX
Title
Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin
Summary
Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.
The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.
This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/membraneframework/membrane_mp4… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-53423.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-53423 | related |
| https://github.com/membraneframework/membrane_mp4… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| membraneframework | membrane_mp4_plugin |
Affected:
0.3.0 , < 0.36.7
(semver)
cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:* |
|
| membraneframework | membrane_mp4_plugin |
Affected:
ae4bf04c393aa1562f3df3d33e20bc5cb8130de2 , < 56373d1ddc86968e55fbde795c14eeba24357b57
(git)
cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53423",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T12:09:51.183359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T12:11:18.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/membraneframework/membrane_mp4_plugin/security/advisories/GHSA-43hj-fxwj-49qw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Membrane.MP4.Container.Header"
],
"packageName": "membrane_mp4_plugin",
"packageURL": "pkg:hex/membrane_mp4_plugin",
"product": "membrane_mp4_plugin",
"programFiles": [
"lib/membrane_mp4/container/header.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1"
},
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1"
}
],
"repo": "https://github.com/membraneframework/membrane_mp4_plugin",
"vendor": "membraneframework",
"versions": [
{
"lessThan": "0.36.7",
"status": "affected",
"version": "0.3.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"Elixir.Membrane.MP4.Container.Header"
],
"packageName": "membraneframework/membrane_mp4_plugin",
"packageURL": "pkg:github/membraneframework/membrane_mp4_plugin",
"product": "membrane_mp4_plugin",
"programFiles": [
"lib/membrane_mp4/container/header.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1"
},
{
"name": "\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1"
}
],
"repo": "https://github.com/membraneframework/membrane_mp4_plugin",
"vendor": "membraneframework",
"versions": [
{
"lessThan": "56373d1ddc86968e55fbde795c14eeba24357b57",
"status": "affected",
"version": "ae4bf04c393aa1562f3df3d33e20bc5cb8130de2",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:membraneframework:membrane_mp4_plugin:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.36.7",
"versionStartIncluding": "0.3.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u0141ukasz Kita"
},
{
"lang": "en",
"type": "remediation developer",
"value": "\u0141ukasz Kita"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mateusz Front"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAllocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.\u003c/p\u003e\u003cp\u003eThe MP4 box header parser converts each 4-byte box name to an atom using \u003ctt\u003eString.to_atom/1\u003c/tt\u003e without validation. \u003ctt\u003e\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1\u003c/tt\u003e in \u003ctt\u003elib/membrane_mp4/container/header.ex\u003c/tt\u003e interns every box name encountered while \u003ctt\u003e\u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1\u003c/tt\u003e walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.\u003c/p\u003e\u003cp\u003eThis issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7.\u003c/p\u003e"
}
],
"value": "Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion.\n\nThe MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. \u0027Elixir.Membrane.MP4.Container.Header\u0027:parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while \u0027Elixir.Membrane.MP4.Container.Header\u0027:parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it.\n\nThis issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T04:45:33.275Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/membraneframework/membrane_mp4_plugin/security/advisories/GHSA-43hj-fxwj-49qw"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-53423.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-53423"
},
{
"tags": [
"patch"
],
"url": "https://github.com/membraneframework/membrane_mp4_plugin/commit/56373d1ddc86968e55fbde795c14eeba24357b57"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-53423",
"datePublished": "2026-06-11T10:44:51.528Z",
"dateReserved": "2026-06-09T11:01:47.529Z",
"dateUpdated": "2026-06-12T04:45:33.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48856 (GCVE-0-2026-48856)
Vulnerability from cvelistv5 – Published: 2026-06-10 14:41 – Updated: 2026-06-11 04:45
VLAI
EPSS
VEX
Title
httpc leaks Authorization header to cross-origin redirect targets
Summary
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.
The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.
autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.
An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.
This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.
This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-48856.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-48856 | related |
| https://www.erlang.org/doc/system/versions.html#o… | x_version-scheme |
| https://github.com/erlang/otp/commit/688d748d6f7a… | patch |
Impacted products
2 products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:23:52.053802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:24:02.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "inets",
"packageURL": "pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
"product": "OTP",
"programFiles": [
"src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "9.7.1",
"status": "unaffected"
},
{
"at": "9.6.2.2",
"status": "unaffected"
},
{
"at": "9.3.2.6",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "5.10",
"versionType": "otp"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"modules": [
"httpc_response"
],
"packageName": "erlang/otp",
"packageURL": "pkg:github/erlang/otp",
"product": "OTP",
"programFiles": [
"lib/inets/src/http_client/httpc_response.erl"
],
"programRoutines": [
{
"name": "httpc_response:redirect/2"
}
],
"repo": "https://github.com/erlang/otp",
"vendor": "Erlang",
"versions": [
{
"changes": [
{
"at": "29.0.2",
"status": "unaffected"
},
{
"at": "28.5.0.2",
"status": "unaffected"
},
{
"at": "27.3.4.13",
"status": "unaffected"
}
],
"lessThan": "*",
"status": "affected",
"version": "17.0",
"versionType": "otp"
},
{
"lessThan": "688d748d6f7a6a06b13b662a1d3de8af97079612",
"status": "affected",
"version": "84adefa331c4159d432d22840663c38f155cd4c1",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.3.4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.5.0.2",
"versionStartIncluding": "28.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
"versionEndExcluding": "29.0.2",
"versionStartIncluding": "29.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Ingela Anderton Andin"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Konrad Pietrzak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (\u003ctt\u003ehttpc_response\u003c/tt\u003e module) allows Retrieve Embedded Sensitive Data.\u003cp\u003eThe \u003ctt\u003ehttpc\u003c/tt\u003e client forwards the \u003ctt\u003eAuthorization\u003c/tt\u003e and \u003ctt\u003eProxy-Authorization\u003c/tt\u003e request headers to redirect targets without checking whether the redirect crosses an origin boundary. \u003ctt\u003ehttpc_response:redirect/2\u003c/tt\u003e constructs the redirected request by updating only the \u003ctt\u003ehost\u003c/tt\u003e field of the header record; all other fields (including \u003ctt\u003eauthorization\u003c/tt\u003e and \u003ctt\u003eproxy_authorization\u003c/tt\u003e) are copied verbatim. The redirect target host is never compared against the original host.\u003c/p\u003e\u003cp\u003e\u003ctt\u003eautoredirect\u003c/tt\u003e defaults to \u003ctt\u003etrue\u003c/tt\u003e, so this affects all \u003ctt\u003ehttpc\u003c/tt\u003e callers that do not explicitly disable automatic redirects.\u003c/p\u003e\u003cp\u003eAn attacker who controls a server that the victim contacts via \u003ctt\u003ehttpc\u003c/tt\u003e can issue a cross-origin 3xx redirect to a server they also control. The \u003ctt\u003eAuthorization\u003c/tt\u003e header (including Basic credentials derived from URL userinfo via \u003ctt\u003ehttpc_request:handle_user_info/2\u003c/tt\u003e) is forwarded to the redirect target, allowing credential theft. The same applies to the \u003ctt\u003eProxy-Authorization\u003c/tt\u003e header.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/inets/src/http_client/httpc_response.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.\u003c/p\u003e"
}
],
"value": "Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T04:45:35.836Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-48856.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48856"
},
{
"tags": [
"x_version-scheme"
],
"url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
},
{
"tags": [
"patch"
],
"url": "https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "httpc leaks Authorization header to cross-origin redirect targets",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eSet \u003ctt\u003e{autoredirect, false}\u003c/tt\u003e in the \u003ctt\u003ehttpc:request/4\u003c/tt\u003e options and handle redirects manually, stripping the \u003ctt\u003eAuthorization\u003c/tt\u003e header when the redirect crosses an origin boundary.\u003c/li\u003e\u003cli\u003eEnsure that \u003ctt\u003ehttpc\u003c/tt\u003e is only used to contact trusted servers that will not issue cross-origin redirects.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-48856",
"datePublished": "2026-06-10T14:41:51.616Z",
"dateReserved": "2026-05-25T20:44:10.697Z",
"dateUpdated": "2026-06-11T04:45:35.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}