Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling.
In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries - a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.
A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.
This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.
AnalysisAI
Unauthenticated remote denial-of-service in Phoenix Framework 1.7.0-1.7.21 and 1.8.0-1.8.5 allows attackers to crash Elixir BEAM nodes by sending multi-megabyte HTTP requests filled with newlines to the long-poll transport endpoint. A 1 MB payload of newline characters triggers allocation of approximately one million empty list elements, exhausting scheduler and memory resources. Session token required to trigger the vulnerability is obtainable via unauthenticated GET request, making exploitation trivial. Vendor-released patches (1.7.22, 1.8.6) enforce client-side batching limits. CVSS 8.7 (high availability impact) confirmed; no public exploit or CISA KEV listing identified at time of analysis.
Technical ContextAI
Phoenix is an Elixir web framework built on the Erlang BEAM VM. The vulnerable code path is in Phoenix.Transports.LongPoll, which implements a fallback transport for WebSocket connections. When handling POST requests with Content-Type: application/x-ndjson, the publish/4 function calls String.split/2 without a limit argument to parse message batches. Elixir's String.split/2 materializes the entire result into a list in memory before returning. An attacker sending a body composed entirely of newline bytes (e.g., 0x0A repeated eight million times in an 8 MB request) causes 1:1 memory amplification: each newline produces one empty binary in the resulting list. Enum.map then walks every element, materializing a second list of equal size. The cumulative allocation exhausts BEAM's heap and scheduler queues, triggering an out-of-memory crash that terminates all active sessions on the node. This is a classic resource exhaustion attack (CWE-770: Allocation of Resources Without Limits or Throttling). The fix introduced MAX_LONGPOLL_BATCH_SIZE=100 on the client side and replaced String.split/2 with String.splitter/2 on the server, which returns a lazy stream instead of eagerly building a list. The server-side TODO comment in the patch indicates the 100-message cap is currently client-enforced only; future versions will validate batch size on the server.
RemediationAI
Upgrade Phoenix to version 1.7.22 or 1.8.6 immediately. Patches are available from the official GitHub repository at commits 1a67c61ff9ce0a7711662ac7354861917a7c80f7 (v1.7.22) and 912ea181fd247c21dbcc49fb97d0053b947d81bf (v1.8.6). Update mix.exs dependency and run 'mix deps.update phoenix'. If immediate upgrade is not feasible, implement reverse proxy rate limiting on the /socket/longpoll endpoint: limit request body size to 1 MB and enforce rate limits of 10 requests per minute per source IP (adjust based on legitimate client behavior). Be aware that rate limiting reduces attack impact but does not eliminate the vulnerability, as even a 1 MB payload can trigger memory exhaustion on under-resourced nodes. Another compensating control is disabling long-poll transport entirely if WebSocket is supported by all clients: remove or comment out the LongPoll transport configuration in endpoint.ex socket declarations. This breaks compatibility with clients in restrictive network environments (corporate proxies blocking WebSocket) but eliminates the attack vector. Monitor BEAM memory and scheduler utilization via :observer or external APM tools; set alerts for sustained >80% memory usage as an early warning signal. The patch enforces client-side batching (100 messages per POST) and replaces eager String.split/2 with lazy String.splitter/2, but server-side validation remains a TODO per commit comments, so layered defenses are prudent. Full advisory and patch details at https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27339
GHSA-628h-q48j-jr6q