EEF-CVE-2026-39806

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2026-39806.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-39806.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-39806
Aliases
  • CVE-2026-39806
  • GHSA-rf5q-vwxw-gmrf
Published
2026-05-13T13:36:17.806Z
Modified
2026-05-13T13:56:39.607670583Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit
Details

Summary

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.

'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative toread, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.

A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.

This issue affects bandit: from 1.6.1 before 1.11.1.

Database specific 
{
    "capec_ids": [
        "CAPEC-469"
    ],
    "cpe_ids": [
        "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-835"
    ]
}
References
Credits
    • Peter Ullrich - FINDER
    • Mat Trudel - REMEDIATION_DEVELOPER
    • Jonatan Männchen - ANALYST

Affected packages

Hex / bandit

Package

Name
bandit
Purl
pkg:hex/bandit

Affected ranges

Type
SEMVER
Events
Introduced
1.6.1
Fixed
1.11.1

Affected versions

1.*
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.7.0
1.8.0
1.9.0
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-39806.json"

Git / github.com/mtrudel/bandit

Affected ranges

Type
GIT
Repo
https://github.com/mtrudel/bandit
Events
Introduced
e73e379ab59840e8561b5730878f16e29ab06217
Fixed
ae3520dfdbfab115c638f8c7f6f6b805db34e1ab

Affected versions

1.*
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0
1.6.1
1.6.10
1.6.11
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0
1.8.0
1.9.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-39806.json"