Description
Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling.

In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries — a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.

A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.

This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.
Published: 2026-05-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Phoenix’s long‑poll transport processes NDJSON request bodies by splitting on newline characters with no limit, allowing an attacker who can send a payload of only newline bytes to create an inordinate number of empty binaries. The resulting list grows to millions of elements for modest body sizes, exhausting BEAM memory and scheduler threads and crashing the node. This flaw, classified as CWE‑770, yields a denial of service that is effectively unauthenticated because a session token can be obtained through a public GET request with a matching Origin header.

Affected Systems

The vulnerability impacts the Phoenix Framework, in all releases from 1.7.0 up to but not including 1.7.22, as well as version 1.8.6. Versions 1.7.22 and later, and 1.8.6 patched releases, contain the fix.

Risk and Exploitability

With a CVSS score of 8.7 the exploit poses a high severity risk. The EPSS score is not available, yet the straightforward, unauthenticated attack path—POSTing a crafted NDJSON payload to the exposed long‑poll endpoint—makes it highly likely that malicious actors can leverage this. The flaw is not listed in CISA’s KEV catalog. Attackers who can reach the endpoint from any network segment can trigger application crashes and disrupt all active sessions, and the denial of service can propagate across distributed deployments that share the same node instance.

Generated by OpenCVE AI on May 5, 2026 at 17:52 UTC.

Remediation

Vendor Workaround

Disable the longpoll transport on all Phoenix.Socket declarations, including the LiveView /live socket, by removing or setting longpoll: false. Note that this prevents clients that cannot use WebSockets from connecting.

OpenCVE Recommended Actions

  • Upgrade Phoenix Framework to a patched release (1.7.22 or later, or a patched 1.8.6).
  • If an upgrade is not immediately feasible, disable the long‑poll transport by setting longpoll: false on all Phoenix.Socket declarations, including LiveView’s /live socket—note this blocks clients that cannot use WebSocket.
  • If neither upgrade nor transport disabling is viable, apply network‑level controls such as request size limits or rate limiting to the LongPoll endpoint to mitigate potential memory exhaustion.

Generated by OpenCVE AI on May 5, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling. In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries — a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions. A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated. This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.
Title Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix
First Time appeared Phoenixframework
Phoenixframework phoenix
Weaknesses CWE-770
CPEs cpe:2.3:a:phoenixframework:phoenix:*:*:*:*:*:*:*:*
Vendors & Products Phoenixframework
Phoenixframework phoenix
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phoenixframework Phoenix
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-05T15:41:35.502Z

Reserved: 2026-03-13T09:12:14.475Z

Link: CVE-2026-32689

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-05T16:16:11.397

Modified: 2026-05-05T19:37:28.367

Link: CVE-2026-32689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:30:29Z

Weaknesses