Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood).
When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity).
A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.
This issue affects mint: from 0.1.0 before 1.9.0.
AnalysisAI
Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP/2 server to crash the client's BEAM process via a CONTINUATION frame flood. The client's receive path buffers HEADERS and CONTINUATION fragments into an unbounded accumulator because SETTINGS_MAX_HEADER_LIST_SIZE defaulted to :infinity and was only enforced on outbound requests, so a single attacker-controlled endpoint can force unlimited iolist growth until the process dies. No public exploit identified at time of analysis, but a verified upstream patch and detailed advisory exist.
Technical ContextAI
Mint is a low-level, process-less HTTP/1 and HTTP/2 client library widely used as the transport foundation for Elixir HTTP stacks such as Finch, Tesla, Req, and Swoosh, meaning the bug surface extends to any Elixir/Erlang service that initiates outbound HTTP/2 calls. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): when an HTTP/2 HEADERS frame arrives without END_HEADERS set, Mint stores the header-block fragment in conn.headers_being_processed and appends each subsequent CONTINUATION frame, with no per-stream byte cap, no frame-count cap, and no enforcement of the locally configured max_header_list_size on inbound data. The commit diff (b662d127) introduces a 256 KB default cap, tracks an acc_size alongside the fragment list, and aborts the connection with a PROTOCOL_ERROR GOAWAY once the accumulator would exceed SETTINGS_MAX_HEADER_LIST_SIZE, mirroring the CONTINUATION flood class disclosed for many HTTP/2 stacks in 2024.
RemediationAI
Vendor-released patch: upgrade Mint to 1.9.0 or later, which lands commit b662d127d3028b5426c88d4c9cc7fe430491a10b and changes the client default of max_header_list_size from :infinity to 256 KB while enforcing it on inbound HEADERS+CONTINUATION accumulation (closing the connection with PROTOCOL_ERROR if exceeded); update both direct and transitive dependents (Finch, Req, Tesla, Swoosh) by running mix deps.update mint and refreshing mix.lock. On pre-1.9.0 releases there is no in-library workaround because the enforcement code itself does not yet exist, so the compensating controls are operational: restrict outbound HTTP/2 destinations to a trusted allowlist via egress proxy or NetworkPolicy, disable HTTP/2 for client paths that target untrusted URLs by forcing HTTP/1.1 negotiation (trade-off: loss of multiplexing and head-of-line-blocking benefits), and run Mint-using workers with constrained memory limits (cgroup/systemd MemoryMax) plus supervisor restart so a single CONTINUATION-flood victim crashes and recycles rather than OOM-killing the node. Advisory and patch references: https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8 and https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b.
Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a m
Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-
Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to c
Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server
Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a
HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-con
CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Split
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33940
GHSA-2p26-p43x-fhp8