GHSA-468c-vq7p-gh64High

Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service

Published
May 20, 2026
Last Modified
May 20, 2026

🔗 CVE IDs covered (1)

CVE-2026-8468

📋 Description

Summary

An Allocation of Resources Without Limits or Throttling vulnerability in Plug.Conn.read_part_headers/2 allows an unauthenticated attacker to exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.

Details

Plug.Conn.read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers.

Impact

This is a denial-of-service vulnerability. Any application using Plug.Parsers with the :multipart parser, or calling Plug.Conn.read_part_headers/2 directly, is affected. An unauthenticated remote attacker can trigger the issue by sending crafted HTTP requests with no special privileges.

References

  • Intro Commit: https://github.com/elixir-plug/plug/commit/c52b2f32c90bccd718202bafccb5f95594e30183
  • Patch Commit: https://github.com/elixir-plug/plug/commit/d878b42efea9f12b243dc3e362a2ed048a798203

🎯 Affected products5

  • erlang/plug:>= 1.4.0, < 1.15.4
  • erlang/plug:>= 1.16.0, < 1.16.3
  • erlang/plug:>= 1.17.0, < 1.17.1
  • erlang/plug:>= 1.18.0, < 1.18.2
  • erlang/plug:>= 1.19.0, < 1.19.2

🔗 References (11)