Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via any outbound request to a malicious server, no auth or interaction, low complexity; impact is availability-only memory exhaustion, so C:N/I:N/A:H with unchanged scope.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response.
This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2.
When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition.
This issue affects mint: from 0.5.0 before 1.9.1.
AnalysisAI
Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a malicious or compromised HTTP server exhaust a client's memory and force an out-of-memory crash. When decoding a chunked response, Mint buffers every byte of the current chunk in an unbounded iolist and withholds it from the caller until the full declared chunk length arrives, so a server that advertises a huge chunk size (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim application to initiate an outbound HTTP/1.1 request to a server the attacker controls or can influence, and that server must return a chunked (Transfer-Encoding: chunked) response with an inflated chunk-size line while sending body bytes slowly and never completing the chunk. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base of 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N, VA:H, all other impacts N) accurately frames this as a high-severity, availability-only issue: network-reachable, low complexity, no authentication, no user interaction, but no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application uses Mint (directly or via Finch/Req) to fetch a user-submitted URL for link-preview generation. The attacker hosts a server that responds with Transfer-Encoding: chunked and a chunk-size line of 7FFFFFFF, then trickles body bytes without ever completing the chunk; Mint buffers every byte in data_buffer until the BEAM VM exhausts memory and the node is OOM-killed. … |
| Remediation | Upgrade to Mint 1.9.1 or later, which is the vendor-released patched version (fix commit 193ce714907d16e8adc4ab3c40e4f0c2f045b2a6); update your mix.exs dependency and rebuild, and bump any transitive pins so libraries like Finch, Req, or Tesla resolve to the fixed Mint. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications running Elixir Mint, identifying those on affected versions 0.5.0-1.9.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-
Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP
Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to c
Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server
HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-con
CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Split
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41862