Skip to main content

plug_cowboy EUVDEUVD-2026-25845

| CVE-2026-32688 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-27 6b3ad84c-e1a6-4bf7-a703-f496b71e49db GHSA-q8x4-x7mp-5vg2
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 18:57 nvd
Patch available
Patch available
Apr 27, 2026 - 15:01 EUVD
Analysis Generated
Apr 27, 2026 - 14:33 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 14:22 euvd
EUVD-2026-25845
Analysis Generated
Apr 27, 2026 - 14:22 vuln.today
CVE Published
Apr 27, 2026 - 14:16 nvd
HIGH 8.7

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.

Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.

This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.

This issue affects plug_cowboy: from 2.0.0 before 2.8.1.

AnalysisAI

Atom table exhaustion in plug_cowboy 2.0.0-2.8.0 allows remote denial of service via HTTP/2. Unauthenticated attackers can crash the Erlang VM by sending HTTP/2 requests with unique :scheme pseudo-header values, permanently filling the non-garbage-collected atom table until the system_limit is reached. Affects only HTTP/2 connections; HTTP/1.1 is not vulnerable. CVSS 8.7 (High) with network attack vector, low complexity, and no required privileges. No active exploitation confirmed (not in CISA KEV), but exploit is trivial given the publicly documented attack mechanism in the GitHub advisory.

Technical ContextAI

The vulnerability exists in Plug.Cowboy.Conn.conn/1 (lib/plug/cowboy/conn.ex) within the plug_cowboy library, an Elixir adapter for the Cowboy HTTP server. The function calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. In HTTP/2, the underlying cowlib library passes the client-supplied :scheme pseudo-header directly without validation. Erlang/BEAM atoms are permanent identifiers stored in a fixed-size table (default 1,048,576 entries) and are never garbage-collected. This CWE-770 (Allocation of Resources Without Limits or Throttling) flaw allows attackers to exhaust this resource by creating unique atoms from each malicious request. HTTP/1.1 connections are unaffected because cowboy derives the scheme from the listener configuration rather than client input. The fix (commit bfb34cb) likely validates or sanitizes scheme values before atom conversion.

RemediationAI

Upgrade to plug_cowboy version 2.8.1 or later, which contains the fix from commit bfb34cb45eb354e56437f7023fb306de1bf9c19b (available at https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b). If immediate upgrade is not feasible, disable HTTP/2 support in Cowboy listener configuration as a temporary workaround - configure listeners to accept only HTTP/1.1 connections. This mitigation prevents the attack vector but sacrifices HTTP/2 performance benefits and may break clients requiring HTTP/2. Another option is to deploy a reverse proxy (nginx, HAProxy, Envoy) that terminates HTTP/2 and forwards only HTTP/1.1 to the backend plug_cowboy application, though this adds infrastructure complexity and latency. All workarounds should be considered temporary; upgrading to 2.8.1+ is the definitive fix. Review application dependency chains to ensure transitive dependencies also use the patched version.

Share

EUVD-2026-25845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy