CVE-2026-8468

Summary

Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

Affected Software

VendorProductVersion RangeStatus
elixir-plugplug1.4.0 < 1.15.4affected
elixir-plugplug1.16.0 < 1.16.3affected
elixir-plugplug1.17.0 < 1.17.1affected
elixir-plugplug1.18.0 < 1.18.2affected
elixir-plugplug1.19.0 < 1.19.2affected
elixir-plugplugc52b2f32c90bccd718202bafccb5f95594e30183 < *affected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References