Skip to main content

elixir-mint CVE-2026-56810

| EUVDEUVD-2026-41862 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-06 EEF
8.7
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable via any outbound request to a malicious server, no auth or interaction, low complexity; impact is availability-only memory exhaustion, so C:N/I:N/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 10:55 vuln.today

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response.

This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2.

When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition.

This issue affects mint: from 0.5.0 before 1.9.1.

AnalysisAI

Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a malicious or compromised HTTP server exhaust a client's memory and force an out-of-memory crash. When decoding a chunked response, Mint buffers every byte of the current chunk in an unbounded iolist and withholds it from the caller until the full declared chunk length arrives, so a server that advertises a huge chunk size (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Victim client requests attacker-controlled URL
Delivery
Server returns chunked response
Exploit
Advertise ~2 GiB chunk size
Execution
Trickle body bytes, never complete chunk
Persist
Mint buffers all bytes in data_buffer
Impact
Client memory exhausted, OOM crash

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim application to initiate an outbound HTTP/1.1 request to a server the attacker controls or can influence, and that server must return a chunked (Transfer-Encoding: chunked) response with an inflated chunk-size line while sending body bytes slowly and never completing the chunk. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base of 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N, VA:H, all other impacts N) accurately frames this as a high-severity, availability-only issue: network-reachable, low complexity, no authentication, no user interaction, but no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application uses Mint (directly or via Finch/Req) to fetch a user-submitted URL for link-preview generation. The attacker hosts a server that responds with Transfer-Encoding: chunked and a chunk-size line of 7FFFFFFF, then trickles body bytes without ever completing the chunk; Mint buffers every byte in data_buffer until the BEAM VM exhausts memory and the node is OOM-killed. …
Remediation Upgrade to Mint 1.9.1 or later, which is the vendor-released patched version (fix commit 193ce714907d16e8adc4ab3c40e4f0c2f045b2a6); update your mix.exs dependency and rebuild, and bump any transitive pins so libraries like Finch, Req, or Tesla resolve to the fixed Mint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications running Elixir Mint, identifying those on affected versions 0.5.0-1.9.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy