Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.
The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.
Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.
This issue affects bandit: from 0.5.0 before 1.11.0.
AnalysisAI
Memory exhaustion in Bandit WebSocket server (versions 0.5.0 through 1.10.x) allows unauthenticated remote attackers to trigger denial of service by sending unbounded WebSocket continuation frames without setting the fin flag. The fragment reassembly logic accumulates payloads without checking cumulative message size, bypassing the max_frame_size limit which only applies to individual frames. Applications using Phoenix Channels or LiveView over Bandit expose this attack surface on any WebSocket endpoint. Patch available in version 1.11.0 introduces max_fragmented_message_size parameter (default 8MB). No public exploit code identified at time of analysis, but trivial to reproduce with standard WebSocket libraries.
Technical ContextAI
Bandit is an Elixir HTTP/WebSocket server library built on the BEAM virtual machine, commonly used as the underlying web server for Phoenix Framework applications. The vulnerability exists in lib/bandit/websocket/connection.ex where the handle_frame/3 function processes WebSocket fragmentation per RFC 6455. WebSocket messages can be split across multiple frames using Continuation frames (opcode 0x0), with fin=0 indicating more fragments follow and fin=1 marking the final fragment. The flawed code appends each continuation frame's payload to an iolist (connection.fragment_frame.data) without tracking total accumulated size. The existing max_frame_size option (CWE-770: Allocation of Resources Without Limits or Throttling) only validates individual frame payloads, not the reassembled message. Because accumulation precedes the WebSock.handle_in/2 callback, application-layer size checks cannot prevent the attack. BEAM processes grow heap memory linearly with iolist size until OS or supervisor kills the process. The CPE cpe:2.3:a:mtrudel:bandit identifies all versions from 0.5.0 (when WebSocket support was introduced) up to but not including 1.11.0.
RemediationAI
Upgrade to Bandit version 1.11.0 or later, which introduces the max_fragmented_message_size configuration option with a safe default of 8MB (commit 21612c7c7b1ce43eccd36d3af3a2299d23513667 available at https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667). Update dependencies in mix.exs with {:bandit, "~> 1.11"} and run mix deps.update bandit. The patch modifies lib/bandit/websocket/connection.ex to track cumulative fragment size via IO.iodata_length(data) and rejects messages exceeding the threshold with WebSocket close code 1009 (message too big). Organizations can tune the limit via websocket_options: [max_fragmented_message_size: bytes] in endpoint configuration; set to 0 to disable (not recommended for internet-facing services). If immediate upgrade is not feasible, implement compensating controls: (1) Deploy a reverse proxy (nginx, HAProxy) with websocket_max_message_size directive to enforce message limits before traffic reaches Bandit; note this requires proxy WebSocket protocol awareness and may add latency. (2) Use network-level rate limiting to restrict WebSocket frame rate per client IP, limiting attack velocity; this reduces but does not eliminate risk as a single slow connection can still accumulate unbounded data. (3) For Phoenix applications, temporarily disable WebSocket transport in endpoint.ex with websocket: false if real-time features are non-critical; this breaks LiveView and Channels functionality. All workarounds have operational trade-offs compared to patching.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26715
GHSA-pf94-94m9-536p