Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.
cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section - for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n - and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.
This issue affects cowboy from 2.0.0 before 2.15.0.
AnalysisAI
Unauthenticated denial of service in ninenines Cowboy 2.0.0 through 2.14.x allows remote attackers to exhaust BEAM VM memory by sending malformed multipart/form-data uploads that never complete a header section. The flaw lives in cowboy_req:read_part/3, which lacked the upper-bound buffer guard already present in read_part_body/4, letting a handful of concurrent slow uploads accumulate request bytes linearly until the Erlang node runs out of memory. EPSS is very low (0.02%) and no public exploit is identified at time of analysis, but the upstream patch and a regression test are already merged in 2.15.0.
Technical ContextAI
Cowboy is a small, fast HTTP/1.1, HTTP/2, and WebSocket server for Erlang/OTP, widely embedded in BEAM-based web stacks (Phoenix/Plug, Elli alternatives, Erlang microservices). The vulnerable code path is the multipart streaming API: cowboy_req:read_part/3 in src/cowboy_req.erl reads up to Length bytes (default 64 KB) from the request body via stream_multipart/3 and feeds them to cow_multipart:parse_headers/2. When the parser returns more or {more, Buffer2}, the function recursed with << Buffer/binary, Data/binary >> with no byte_size check, in contrast to the sibling read_part_body/4 which already enforced a byte_size(Acc) > Length guard. The root cause maps to CWE-770 (Allocation of Resources Without Limits or Throttling): a parser state that consumes attacker-controlled bytes without an upper bound on the accumulator. The fix introduces read_part_more/3 which exits with {request_error, {multipart, headers}, 'Malformed body; multipart header block too large.'} once the buffer exceeds 2048 bytes - twice the largest expected header block.
RemediationAI
Upgrade to Cowboy 2.15.0, which introduces the read_part_more/3 guard that aborts multipart parsing with a 400 once the in-progress header buffer exceeds 2048 bytes (commit 5c6a2061b41bb5771c4659fac7d5a822dca5bafb). For Elixir/Phoenix users, bump the plug_cowboy or cowboy dependency to a release that resolves to >= 2.15.0 and redeploy; verify with mix deps or rebar3 tree that no transitive pin holds an older version. If immediate upgrade is not possible, place a reverse proxy (nginx, HAProxy, an API gateway) in front of Cowboy and enforce a strict client_max_body_size / request body timeout on multipart endpoints, and reject requests where the headers section of any multipart part exceeds a low threshold - note the side effect that legitimate clients sending unusually large part headers (e.g. long Content-Disposition with many parameters) will be rejected. As a last resort, disable multipart handlers entirely on internet-exposed routes until patched, accepting that file-upload functionality will break. Consult the advisories at https://cna.erlef.org/cves/CVE-2026-8466.html and the patch at https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30133
GHSA-jfc2-q6qh-g5x8