Skip to main content

Phoenix Framework CVE-2026-32689

| EUVD-2026-27339 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-05 EEF GHSA-628h-q48j-jr6q
Denial Of Service Suse
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 05, 2026 - 16:31 vuln.today
Analysis Generated
May 05, 2026 - 16:31 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
8.7 (HIGH)

DescriptionNVD

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling.

In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries - a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.

A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.

This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.

AnalysisAI

Unauthenticated remote denial-of-service in Phoenix Framework 1.7.0-1.7.21 and 1.8.0-1.8.5 allows attackers to crash Elixir BEAM nodes by sending multi-megabyte HTTP requests filled with newlines to the long-poll transport endpoint. A 1 MB payload of newline characters triggers allocation of approximately one million empty list elements, exhausting scheduler and memory resources. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Elixir/Phoenix applications in production and development using versions 1.7.0-1.7.21 or 1.8.0-1.8.5. Within 7 days: Upgrade Phoenix Framework to version 1.7.22 or 1.8.6 (vendor-released patches). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-32689 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy