Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.

The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers' default 8 MB), do_read_chunked_data!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response.

Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer.

The content-length path in the same function correctly enforces the limit and is not affected.

This issue affects bandit: from 1.4.0 before 1.11.1.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Bandit’s HTTP/1 chunked body reader where it ignores the caller‑supplied maximum length when processing Transfer‑Encoding: chunked requests. As a result, each received chunk is buffered into an iolist and later materialized as a single binary, regardless of any limit set by callers such as Plug.Parsers. Consequently, a request exceeding the configured bound always results in a full in‑memory copy, which can exhaust the BEAM process’s memory and trigger the operating system OOM killer, denying service to the application. The flaw is a classic example of Allocation of Resources Without Limits (CWE‑770).

Affected Systems

The affected product is Bandit by mtrudel, version range 1.4.0 through 1.11.0 inclusive. Any application that uses Bandit as an HTTP server – for example typical Phoenix endpoints – is vulnerable because the bug resides in the core HTTP socket handling code and is exercised before routing or authentication.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity denial of service risk. EPSS data is not available, but the lack of authentication or routing prerequisites means an attacker can trigger the issue by sending a simple chunked POST to any path. The vulnerability is not listed in the CISA KEV catalog, yet the memory exhaustion mechanism can still cause system‑wide outage. Attackers can abuse this flaw by sending a large, chunked body that forces the BEAM process to allocate an ever‑growing buffer, leading to an OOM condition that terminates the process.

Generated by OpenCVE AI on May 13, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bandit to version 1.11.1 or later, which implements proper length checking on chunked bodies.
  • If an upgrade is not immediately possible, deploy a reverse proxy (e.g., Nginx or HAProxy) in front of Bandit and configure it to enforce a maximum request body size or to reject requests with Transfer‑Encoding: chunked exceeding a safe limit, thereby preventing large bodies from reaching the application.
  • Monitor BEAM process memory usage and configure system OOM killer thresholds or memory limits, and implement alerts for sudden spikes, to contain potential DoS impacts while remediation is pending.

Generated by OpenCVE AI on May 13, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers' default 8 MB), do_read_chunked_data!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response. Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer. The content-length path in the same function correctly enforces the limit and is not affected. This issue affects bandit: from 1.4.0 before 1.11.1.
Title HTTP/1 chunked body reader ignores length cap in bandit
First Time appeared Mtrudel
Mtrudel bandit
Weaknesses CWE-770
CPEs cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*
Vendors & Products Mtrudel
Mtrudel bandit
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mtrudel Bandit
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-13T18:27:30.095Z

Reserved: 2026-04-07T12:28:54.916Z

Link: CVE-2026-39803

cve-icon Vulnrichment

Updated: 2026-05-13T14:41:29.954Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T14:17:32.633

Modified: 2026-05-13T16:16:41.540

Link: CVE-2026-39803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T16:45:44Z

Weaknesses