Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.

'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.

A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.

This issue affects bandit: from 1.6.1 before 1.11.1.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bandit HTTP/1 chunked decoder contains an infinite loop that is triggered when a request contains HTTP trailer fields. The decoder expects the last chunk indicator line to be directly followed by an empty trailer line, but RFC 9112 allows trailer fields in between. When such trailers are present, the decoding logic falls into a catch‑all clause that keeps looping without consuming input, causing the worker process to remain pinned for the life of the TCP connection. An attacker or any client that sends properly formatted chunked requests with trailers, even without authentication or special headers, can exhaust the Bandit worker pool and prevent the server from handling further traffic, resulting in a denial‑of‑service.

Affected Systems

The vulnerability affects the Bandit HTTP server developed by mtrudel. It is present in versions ranging from 1.6.1 up to, but not including, 1.11.1. Any installations of these versions are susceptible, regardless of the surrounding infrastructure.

Risk and Exploitability

With a CVSS score of 8.7, this issue is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploiting the flaw does not require authentication and can be carried out remotely via normal HTTP traffic; proxies such as NGINX and HAProxy that forward trailer-bearing requests may inadvertently expose backends to the attack.

Generated by OpenCVE AI on May 13, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bandit to version 1.11.1 or later to apply the fixed decoder logic.
  • If an upgrade cannot be performed immediately, configure upstream proxies or load balancers to strip or reject HTTP trailer fields before forwarding requests to Bandit.
  • Continuously monitor worker pool utilization and implement rate limiting or service restarts when signs of exhaustion appear.

Generated by OpenCVE AI on May 13, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rf5q-vwxw-gmrf Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder
History

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.
Title HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit
First Time appeared Mtrudel
Mtrudel bandit
Weaknesses CWE-835
CPEs cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*
Vendors & Products Mtrudel
Mtrudel bandit
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mtrudel Bandit
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-13T18:27:37.964Z

Reserved: 2026-04-07T12:28:54.916Z

Link: CVE-2026-39806

cve-icon Vulnrichment

Updated: 2026-05-13T14:35:57.553Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T14:17:35.700

Modified: 2026-05-13T16:16:41.917

Link: CVE-2026-39806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses