Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires client connection to an attacker-controlled HTTP/2 server (AC:H); successful exploitation fully terminates the BEAM process (A:H); no confidentiality or integrity impact.
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP/2 server to exhaust memory on the client host and cause a denial of service.
The Mint.HTTP2.handle_continuation/3 function in lib/mint/http2.ex accumulates the header-block fragment carried by each HTTP/2 CONTINUATION frame into a growing conn.headers_being_processed nesting, one level deeper per frame, and only releases it when a frame with the END_HEADERS flag arrives. The only guard on this accumulator is Mint.HTTP2.assert_header_block_within_max_size/2, which sums the byte size of the fragments received so far. Because a CONTINUATION frame is permitted by the protocol to carry a zero-length payload, an unbounded chain of zero-length CONTINUATION frames adds no bytes to the running total, never trips the size cap, and never emits END_HEADERS, yet each frame still nests the accumulator one level deeper.
A malicious HTTP/2 server (reachable directly, via an attacker-controlled redirect, via SSRF, or via a man-in-the-middle) can open a stream by sending a HEADERS frame without END_HEADERS and then stream zero-length CONTINUATION frames indefinitely. Client memory grows one cons cell per frame received; sustained bandwidth from the peer drives the BEAM node running the Mint client to memory exhaustion and eventual out-of-memory termination.
This issue affects mint: from 0.1.0 before 1.9.2.
AnalysisAI
Memory exhaustion in elixir-mint's HTTP/2 client library (mint) allows a malicious or attacker-controlled HTTP/2 server to crash any BEAM application using the library by streaming unbounded zero-length CONTINUATION frames that bypass the existing byte-size guard. Affected versions span mint 0.1.0 through 1.9.1; a vendor-released patch is confirmed in 1.9.2. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Mint client must initiate an HTTP/2 connection to an attacker-controlled server; this can occur via four paths documented in the advisory: (1) direct connection - the application explicitly connects to a malicious host; (2) redirect - a legitimate server issues a 3xx redirect to an attacker-controlled HTTP/2 endpoint and the client follows it; (3) SSRF - the application fetches a user-supplied or externally influenced URL via Mint and the attacker points it at a malicious server; (4) MitM - a network-position attacker intercepts the HTTP/2 stream and injects the malicious frame sequence. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VA:L) scores 6.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operates an HTTP/2 server and causes a Mint-based Elixir client to connect to it - for example, by exploiting an SSRF vulnerability in a Phoenix application to point an outbound request at the attacker's host, or by inserting a redirect from a legitimate server to the malicious endpoint. The server opens a stream with a HEADERS frame omitting END_HEADERS, then continuously emits zero-length CONTINUATION frames; the client BEAM VM allocates one cons cell per frame and eventually exhausts available heap memory, terminating the application process. … |
| Remediation | Upgrade elixir-mint/mint to version 1.9.2 or later, which contains patch commit 5779de1666344b32aefc4354184ea07f902f73ce; the patch and advisory are at https://github.com/elixir-mint/mint/commit/5779de1666344b32aefc4354184ea07f902f73ce and https://github.com/elixir-mint/mint/security/advisories/GHSA-8pf6-g464-h6h9 respectively. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Uncontrolled memory allocation in the Elixir Mint HTTP client (Mint.HTTP1 module, versions 0.5.0 through 1.9.0) lets a m
Unbounded memory consumption in the Elixir Mint HTTP client (versions 0.1.0 through 1.9.1) lets a malicious or attacker-
Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP
Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to c
HTTP response smuggling in the Elixir Mint HTTP client library (versions 0.1.0 through before 1.9.0) allows attacker-con
CRLF injection in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through 1.8.x) enables HTTP Request Split
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43643