Skip to main content

Elixir Mint EUVDEUVD-2026-33939

| CVE-2026-48862 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-02 EEF GHSA-g586-ccqf-7x4r
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 02, 2026 - 18:05 vuln.today
Analysis Generated
Jun 02, 2026 - 18:05 vuln.today
CVSS changed
Jun 02, 2026 - 16:22 NVD
8.2 (HIGH)
CVE Published
Jun 02, 2026 - 14:15 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding.

In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check.

HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory.

This issue affects mint: from 0.2.0 before 1.9.0.

AnalysisAI

Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to crash the client process by flooding PUSH_PROMISE frames without follow-up HEADERS, since reserved stream entries bypass the max_concurrent_streams cap. CVSS 4.0 score is 8.2 with attack vector network and high availability impact, but no public exploit is identified at time of analysis and the bug requires the client to connect to a hostile server. Server push is accepted by default (enable_push=true), so any Mint-based HTTP client reaching an attacker-controlled origin is exposed.

Technical ContextAI

Mint is a low-level, process-less HTTP/1 and HTTP/2 client library for Elixir used by higher-level clients such as Finch, Tesla (Mint adapter), and Phoenix-related tooling. The defect is a CWE-770 (Allocation of Resources Without Limits or Throttling) flaw in lib/mint/http2.ex: decode_push_promise_headers_and_add_response/5 inserted every promised stream into conn.streams in the :reserved_remote state, while assert_valid_promised_stream_id/2 only checked that the promised ID was even and not duplicated. The HTTP/2 spec's SETTINGS_MAX_CONCURRENT_STREAMS limit was only enforced when the matching response HEADERS arrived, so withholding HEADERS bypassed the cap entirely. CPE cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:* identifies the affected package on Hex. The patch (commit 70b97b6) introduces a reserved_server_stream_count counter, checks open+reserved counts at promise time, and emits RST_STREAM with REFUSED_STREAM for promises beyond the limit while still HPACK-decoding the header block to keep the decoder table in sync.

RemediationAI

Upgrade the mint dependency to version 1.9.0 or later, which contains the upstream fix in commit 70b97b6a5209fb288b0e04d8e657dda26c59de67 that enforces max_concurrent_streams at PUSH_PROMISE time and refuses excess promises with RST_STREAM/REFUSED_STREAM; consult the advisory at https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r and the Erlang Ecosystem Foundation CNA record at https://cna.erlef.org/cves/CVE-2026-48862.html. For applications that cannot upgrade immediately, the most effective workaround is to disable HTTP/2 server push by passing client_settings: [enable_push: false] when opening Mint connections - this prevents the server from sending PUSH_PROMISE frames at all, with the only side effect being loss of server-push acceleration (rarely used in API clients and broadly deprecated by browsers). A secondary mitigation is to lower client_settings.max_concurrent_streams to a small value to cap memory growth, though pre-patch this only delays exhaustion rather than preventing it because the cap is not checked at promise time. Restricting which hosts the application will connect to (egress allowlists, SSRF protections) further reduces exposure for clients that fetch user-supplied URLs.

Share

EUVD-2026-33939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy