Impact
The vulnerability arises from the Mint HTTP client’s unbounded buffering of chunked transfer‑encoded responses. When a server advertises an enormous chunk size, the client stores each byte in an infinite iolist until the declared chunk completes, which may never happen if the server sends data slowly. This behavior can cause any application that uses Mint to consume excessive memory, eventually triggering an out‑of‑memory condition and a denial of service. The weakness is an open‑ended resource allocation flaw (CWE‑770).
Affected Systems
Elixir library Mint, version 0.5.0 up to but not including 1.9.1, used in projects that rely on Mint.HTTP1 for handling HTTP/1.1 responses. Any application that downloads content, follows redirects, or processes webhooks when this library is in the dependency tree is potentially affected.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity, and while the EPSS score is not reported, the lack of an early KEV listing does not diminish the risk: a malicious or compromised remote server can trigger the flaw by issuing a truncated oversized chunk. Because no authentication or privileged access is required and the vector is remote, the potential for widespread exploitation remains significant. Monitoring for abnormal memory consumption and applying the mitigation steps described below are critical.
OpenCVE Enrichment