Skip to main content

Elixir Plug CVE-2026-8468

| EUVDEUVD-2026-30266 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-14 EEF GHSA-468c-vq7p-gh64
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 14, 2026 - 13:16 vuln.today
Analysis Generated
May 14, 2026 - 13:16 vuln.today
CVSS changed
May 14, 2026 - 11:22 NVD
8.2 (HIGH)
CVE Published
May 14, 2026 - 10:29 nvd
UNKNOWN (no severity yet)
CVE Published
May 14, 2026 - 10:29 nvd
HIGH 8.2

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

plug_multipart in src/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation pattern is present in 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex: it accumulates incoming request bytes into a growing binary with no upper-bound check. When plug_multipart:parse_headers/2 returns more or {more, Buffer}, the function reads up to 64 KB from the underlying socket and recurses with the enlarged buffer. There is no equivalent of the byte_size(acc) > length guard present in the sibling function read_part_body/8. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section - for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n - and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

AnalysisAI

Memory exhaustion in Elixir Plug 1.4.0 through 1.19.1 allows remote unauthenticated attackers to crash BEAM VM processes via unbounded buffer accumulation during multipart/form-data header parsing. The vulnerability mirrors CVE-2026-8466 in Cowboy: read_part_headers/2 recursively accumulates incoming bytes without size limits when parsing malformed multipart requests that never deliver complete header sections. Vendor-released patches available for all affected branches. No public exploit identified at time of analysis, but exploitation requires only basic HTTP client tools.

Technical ContextAI

Elixir Plug is a composable web middleware library for the BEAM VM ecosystem, providing HTTP connection primitives used by Phoenix Framework and other Elixir web applications. The vulnerability exists in src/plug_multipart.erl and lib/plug/conn.ex, specifically in the read_part_headers/2 function that parses multipart/form-data request bodies. This code was forked from the cow_multipart module in the Cowboy HTTP server (which has the identical flaw tracked as CVE-2026-8466). The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): when parse_headers/2 returns 'more' or {more, Buffer}, the function reads up to 64KB chunks from the socket and recursively accumulates them into a growing binary with no upper-bound check. Unlike the sibling function read_part_body/8, there is no byte_size(acc) > length guard. The BEAM VM's memory management cannot reclaim this accumulated buffer until the request completes, making it trivial to exhaust process memory. The vulnerability affects CPE cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:* across six release branches spanning from the 1.4.0 introduction of multipart parsing through 1.19.1.

RemediationAI

Upgrade to patched Plug versions: 1.15.4, 1.16.3, 1.17.1, 1.18.2, or 1.19.2 per vendor advisory at https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64. Patches introduce size limits via the existing :length option (defaults to 64KB) that now applies to accumulated header buffers, causing read_part_headers/2 to return {:error, :too_large, conn} when exceeded. Verify patches in commits 2cb7958d, aa69c5ec, d5dfffe2, df812a15, and 33858427 at https://github.com/elixir-plug/plug/. For applications unable to upgrade immediately, implement compensating controls: (1) Deploy reverse proxy rate limiting on multipart upload endpoints (trade-off: may block legitimate large uploads; tune limits to application requirements). (2) Set aggressive timeouts on request body reads via Plug.Conn read_timeout option, typically 5-30 seconds for file uploads (trade-off: terminates slow but legitimate uploads on poor connections). (3) If upload functionality is non-essential, disable Plug.Parsers.MULTIPART parser in plug pipeline and accept only JSON/urlencoded (trade-off: eliminates file upload capability). These workarounds reduce but do not eliminate risk - prioritize vendor patching.

Share

CVE-2026-8468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy