Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response.

This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2.

When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition.

This issue affects mint: from 0.5.0 before 1.9.1.
Published: 2026-07-06
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Mint HTTP client’s unbounded buffering of chunked transfer‑encoded responses. When a server advertises an enormous chunk size, the client stores each byte in an infinite iolist until the declared chunk completes, which may never happen if the server sends data slowly. This behavior can cause any application that uses Mint to consume excessive memory, eventually triggering an out‑of‑memory condition and a denial of service. The weakness is an open‑ended resource allocation flaw (CWE‑770).

Affected Systems

Elixir library Mint, version 0.5.0 up to but not including 1.9.1, used in projects that rely on Mint.HTTP1 for handling HTTP/1.1 responses. Any application that downloads content, follows redirects, or processes webhooks when this library is in the dependency tree is potentially affected.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and while the EPSS score is not reported, the lack of an early KEV listing does not diminish the risk: a malicious or compromised remote server can trigger the flaw by issuing a truncated oversized chunk. Because no authentication or privileged access is required and the vector is remote, the potential for widespread exploitation remains significant. Monitoring for abnormal memory consumption and applying the mitigation steps described below are critical.

Generated by OpenCVE AI on July 7, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mint 1.9.1 or newer, which includes a guard against unbounded chunk sizes.
  • If an upgrade is not immediately feasible, modify the application to reject or cap chunk sizes exceeding a safe threshold, or switch to an alternative HTTP client that limits buffer growth.
  • Implement runtime memory usage monitoring and set alerts to detect sudden memory spikes that may indicate exploitation of this flaw.

Generated by OpenCVE AI on July 7, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2. When Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition. This issue affects mint: from 0.5.0 before 1.9.1.
Title mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5
First Time appeared Elixir-mint
Elixir-mint mint
Weaknesses CWE-770
CPEs cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*
Vendors & Products Elixir-mint
Elixir-mint mint
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Elixir-mint Mint
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-07-07T04:32:36.390Z

Reserved: 2026-06-23T12:29:02.507Z

Link: CVE-2026-56810

cve-icon Vulnrichment

Updated: 2026-07-06T15:52:34.290Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T06:00:13Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling