EEF-CVE-2026-8468

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-8468.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-8468.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-8468

Aliases

CVE-2026-8468
GHSA-468c-vq7p-gh64

Published

2026-05-14T10:29:51.062Z

Modified

2026-05-15T04:33:16.325Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Unbounded buffer accumulation in multipart header parsing causes denial of service in plug

Details

Summary

Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

'Elixir.Plug.Conn':readpartheaders/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function readpartbody has an explicit bytesize(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in readpart_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

Configuration

The application must use Plug.Parsers with the :multipart parser, or otherwise call Plug.Conn.readpartheaders/2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected.

Database specific

{
    "capec_ids": [
        "CAPEC-130"
    ],
    "cpe_ids": [
        "cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Credits

- José Valim - FINDER
- José Valim - REMEDIATION_DEVELOPER
- Jonatan Männchen - ANALYST

Affected packages

Hex / plug

Package

Name: plug
Purl: pkg:hex/plug

Affected ranges

Type: SEMVER
Events: Introduced

1.4.0

Fixed

1.15.4

Type: SEMVER
Events: Introduced

1.16.0

Fixed

1.16.3

Type: SEMVER
Events: Introduced

1.17.0

Fixed

1.17.1

Type: SEMVER
Events: Introduced

1.18.0

Fixed

1.18.2

Type: SEMVER
Events: Introduced

1.19.0

Fixed

1.19.2

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.5.0-rc.0

1.5.0-rc.1

1.5.0-rc.2

1.5.0

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.7.0

1.7.1

1.7.2

1.8.0

1.8.1

1.8.2

1.8.3

1.9.0

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.11.0

1.11.1

1.12.0

1.12.1

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.14.0

1.14.1

1.14.2

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.16.1

1.16.2

1.17.0

1.18.0

1.18.1

1.19.0

1.19.1

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-8468.json"

Git / github.com/elixir-plug/plug

Affected ranges

Type: GIT
Repo: https://github.com/elixir-plug/plug
Events: Introduced

c52b2f32c90bccd718202bafccb5f95594e30183

Fixed

2cb7958d33030aa826b0c7404375844d4593d43a

Fixed

aa69c5ece99c40ded88b8c6581ecc86664b0b734

Fixed

d5dfffe25e975585227b1b85d247b0d14164bc45

Fixed

df812a1527bae9e941965e897308a2b8bbf83a94

Fixed

33858427c7f2737d560a2e40a0c9a9270d77d1d7

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-8468.json"