CVE-2026-39803

Source
https://cve.org/CVERecord?id=CVE-2026-39803
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39803.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39803
Aliases
Published
2026-05-13T13:36:09.648Z
Modified
2026-07-08T08:12:30.338354707Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
HTTP/1 chunked body reader ignores length cap in bandit
Details

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.

The chunked clause of 'Elixir.Bandit.HTTP1.Socket':readdata/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers' default 8 MB), doreadchunkeddata!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response.

Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer.

The content-length path in the same function correctly enforces the limit and is not affected.

This issue affects bandit: from 1.4.0 before 1.11.1.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "903e209a521bc216b9f9065c01ae9a0cac2d5a10"
                },
                {
                    "fixed": "ae3520dfdbfab115c638f8c7f6f6b805db34e1ab"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39803.json",
    "cna_assigner": "EEF",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/mtrudel/bandit

Affected ranges

Type
GIT
Repo
https://github.com/mtrudel/bandit
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "1.11.1"
        }
    ]
}

Affected versions

1.*
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.6.0
1.6.1
1.6.10
1.6.11
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0
1.8.0
1.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39803.json"