Skip to main content

Cowboy

1 CVEs product

Monthly

CVE-2026-8466 HIGH PATCH GHSA This Week

Unauthenticated denial of service in ninenines Cowboy 2.0.0 through 2.14.x allows remote attackers to exhaust BEAM VM memory by sending malformed multipart/form-data uploads that never complete a header section. The flaw lives in cowboy_req:read_part/3, which lacked the upper-bound buffer guard already present in read_part_body/4, letting a handful of concurrent slow uploads accumulate request bytes linearly until the Erlang node runs out of memory. EPSS is very low (0.02%) and no public exploit is identified at time of analysis, but the upstream patch and a regression test are already merged in 2.15.0.

Denial Of Service Cowboy
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Unauthenticated denial of service in ninenines Cowboy 2.0.0 through 2.14.x allows remote attackers to exhaust BEAM VM memory by sending malformed multipart/form-data uploads that never complete a header section. The flaw lives in cowboy_req:read_part/3, which lacked the upper-bound buffer guard already present in read_part_body/4, letting a handful of concurrent slow uploads accumulate request bytes linearly until the Erlang node runs out of memory. EPSS is very low (0.02%) and no public exploit is identified at time of analysis, but the upstream patch and a regression test are already merged in 2.15.0.

Denial Of Service Cowboy
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy