HIGHCVE-2026-8468Published Modified CNA EEF
CVE-2026-8468: Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
Metrics
- CVSS v4.0
- 8.2
- Severity
- HIGH
- Fixed in
- *
- Affected Products
- 2
Fix available
*1.15.41.16.31.17.11.18.21.19.2
Patch commits
Affected packages
- elixir-plug / plug< 1.15.4 (from 1.4.0) · < 1.16.3 (from 1.16.0) · < 1.17.1 (from 1.17.0) · < 1.18.2 (from 1.18.0) · < 1.19.2 (from 1.19.0)
- elixir-plug / plug< * (from c52b2f32c90bccd718202bafccb5f95594e30183)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N