CVE-2026-8468

EPSS 0.27%

Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service

Published: 5/20/2026Modified: 5/20/2026

Description

### Summary An Allocation of Resources Without Limits or Throttling vulnerability in `Plug.Conn.read_part_headers/2` allows an unauthenticated attacker to exhaust server memory by sending a crafted `multipart/form-data` request, causing a denial of service. ### Details `Plug.Conn.read_part_headers/2` in `lib/plug/conn.ex` does not obey its `:length` parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function `read_part_body` has an explicit `byte_size(acc) > length` guard that stops accumulation once a limit is reached. No such guard exists in `read_part_headers`. ### Impact This is a denial-of-service vulnerability. Any application using `Plug.Parsers` with the `:multipart` parser, or calling `Plug.Conn.read_part_headers/2` directly, is affected. An unauthenticated remote attacker can trigger the issue by sending crafted HTTP requests with no special privileges. ### References * Intro Commit: https://github.com/elixir-plug/plug/commit/c52b2f32c90bccd718202bafccb5f95594e30183 * Patch Commit: https://github.com/elixir-plug/plug/commit/d878b42efea9f12b243dc3e362a2ed048a798203

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (11)