Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion.

Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node.

This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header.

This issue affects plug_cowboy: from 2.0.0 before 2.8.1.
Published: 2026-04-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via atom table exhaustion
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when Plug.Cowboy.Conn.conn/1 converts the :scheme pseudo‑header from an HTTP/2 request into an Erlang atom without validation. Atoms are permanent and the BEAM atom table has a fixed size of 1,048,576 entries. An unauthenticated attacker can provide many distinct :scheme values, causing the table to grow until the VM aborts with a system_limit exception. The effect is a service crash that takes down the entire Erlang node. This weakness falls under CWE‑770 (Allocation of Resources Without Limits or Throttling).

Affected Systems

The issue affects the elixir‑plug plug_cowboy library versions 2.0.0 through 2.8.0. It is present in setups that enable HTTP/2 on Plug.Cowboy listeners; HTTP/1.1 listeners are not vulnerable because the scheme is derived from the listener type instead of a client‑supplied header.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. EPSS data is currently not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network‑based, using unauthenticated HTTP/2 traffic. An attacker needs only to send HTTP/2 requests with unique :scheme headers; no authentication or privileged access is required. Because the atom table is not naturally throttled, exploitation likelihood remains high with no countermeasures in place.

Generated by OpenCVE AI on April 28, 2026 at 04:25 UTC.

Remediation

Vendor Workaround

Disable HTTP/2 on the Plug.Cowboy.https/3 listener by passing protocol_options: %{protocols: [:http]} in the cowboy options. This restricts the listener to HTTP/1.1, where the scheme is derived from the listener type and is not attacker-controlled.

OpenCVE Recommended Actions

  • Upgrade Plug.Cowboy to version 2.8.1 or later, where the processing of :scheme values has been sanitized.
  • If an upgrade is not immediately possible, disable HTTP/2 on the Plug.Cowboy listener by configuring protocol_options: %{protocols: [:http]} to force HTTP/1.1 traffic and prevent the creation of attacker‑controlled atoms.
  • After applying the patch or disabling HTTP/2, actively monitor the BEAM atom table size and node stability to detect any unexpected resource exhaustion before it leads to a crash.

Generated by OpenCVE AI on April 28, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q8x4-x7mp-5vg2 Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion
History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Elixir-plug plug.cowboy
CPEs cpe:2.3:a:elixir-plug:plug.cowboy:*:*:*:*:*:*:*:*
Vendors & Products Elixir-plug plug.cowboy
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node. This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header. This issue affects plug_cowboy: from 2.0.0 before 2.8.1.
Title Atom table exhaustion via HTTP/2 :scheme pseudo-header in plug_cowboy
First Time appeared Elixir-plug
Elixir-plug plug Cowboy
Weaknesses CWE-770
CPEs cpe:2.3:a:elixir-plug:plug_cowboy:*:*:*:*:*:*:*:*
Vendors & Products Elixir-plug
Elixir-plug plug Cowboy
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-plug Plug.cowboy Plug Cowboy
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-04-29T17:08:07.227Z

Reserved: 2026-03-13T09:12:14.475Z

Link: CVE-2026-32688

cve-icon Vulnrichment

Updated: 2026-04-27T19:04:40.353Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T14:16:47.340

Modified: 2026-05-22T14:05:19.627

Link: CVE-2026-32688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses