Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding.
In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check.
HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory.
This issue affects mint: from 0.2.0 before 1.9.0.
AnalysisAI
Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to crash the client process by flooding PUSH_PROMISE frames without follow-up HEADERS, since reserved stream entries bypass the max_concurrent_streams cap. CVSS 4.0 score is 8.2 with attack vector network and high availability impact, but no public exploit is identified at time of analysis and the bug requires the client to connect to a hostile server. Server push is accepted by default (enable_push=true), so any Mint-based HTTP client reaching an attacker-controlled origin is exposed.
Technical ContextAI
Mint is a low-level, process-less HTTP/1 and HTTP/2 client library for Elixir used by higher-level clients such as Finch, Tesla (Mint adapter), and Phoenix-related tooling. The defect is a CWE-770 (Allocation of Resources Without Limits or Throttling) flaw in lib/mint/http2.ex: decode_push_promise_headers_and_add_response/5 inserted every promised stream into conn.streams in the :reserved_remote state, while assert_valid_promised_stream_id/2 only checked that the promised ID was even and not duplicated. The HTTP/2 spec's SETTINGS_MAX_CONCURRENT_STREAMS limit was only enforced when the matching response HEADERS arrived, so withholding HEADERS bypassed the cap entirely. CPE cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* identifies the affected package on Hex. The patch (commit 70b97b6) introduces a reserved_server_stream_count counter, checks open+reserved counts at promise time, and emits RST_STREAM with REFUSED_STREAM for promises beyond the limit while still HPACK-decoding the header block to keep the decoder table in sync.
RemediationAI
Upgrade the mint dependency to version 1.9.0 or later, which contains the upstream fix in commit 70b97b6a5209fb288b0e04d8e657dda26c59de67 that enforces max_concurrent_streams at PUSH_PROMISE time and refuses excess promises with RST_STREAM/REFUSED_STREAM; consult the advisory at https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r and the Erlang Ecosystem Foundation CNA record at https://cna.erlef.org/cves/CVE-2026-48862.html. For applications that cannot upgrade immediately, the most effective workaround is to disable HTTP/2 server push by passing client_settings: [enable_push: false] when opening Mint connections - this prevents the server from sending PUSH_PROMISE frames at all, with the only side effect being loss of server-push acceleration (rarely used in API clients and broadly deprecated by browsers). A secondary mitigation is to lower client_settings.max_concurrent_streams to a small value to cap memory growth, though pre-patch this only delays exhaustion rather than preventing it because the cap is not checked at promise time. Restricting which hosts the application will connect to (egress allowlists, SSRF protections) further reduces exposure for clients that fetch user-supplied URLs.
Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a m
Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-
Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP
Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server
Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a
HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-con
CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Split
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33939
GHSA-g586-ccqf-7x4r