Description
Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.

cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.

This issue affects cowboy from 2.0.0 before 2.15.0.
Published: 2026-05-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unbounded buffer accumulation during multipart header parsing in Cowboy. The function that reads multipart parts stores incoming bytes into an internal buffer with no size limit. As a result, a malicious request can cause the server process to consume memory linearly until the BEAM system’s heap is exhausted, leading to denial of service. The flaw is defined as CWE‑770.

Affected Systems

The affected product is the Cowboy web server from NineNines, versions from 2.0.0 up to, but not including, 2.15.0. These releases are vulnerable to memory exhaustion when handling malformed multipart/form‑data requests.

Risk and Exploitability

The CVSS score of 8.2 classifies the issue as high severity, yet the EPSS score is not presently available and the vulnerability is not listed in CISA KEV. An unauthenticated attacker only needs the ability to contact the HTTP service and can send multipart/form‑data requests that never provide the required boundary or terminating CRLF. The attacker can launch several concurrent uploads or send a very large malformed request to force the server to accumulate memory until it fails, effectively denying service. The exploit requires only network access to the server, no credentials, and is straightforward to execute with common HTTP clients.

Generated by OpenCVE AI on May 13, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cowboy to 2.15.0 or later, which adds a size guard for multipart header parsing.
  • Configure request size limits at the application or reverse‑proxy level, such as setting a maximum content length or using a proxy to reject requests larger than a safe threshold.
  • Apply rate‑limiting or connection limits so that a single client cannot spawn many concurrent uploads, mitigating memory pressure.

Generated by OpenCVE AI on May 13, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfc2-q6qh-g5x8 Cowboy: Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy
History

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects cowboy from 2.0.0 before 2.15.0.
Title Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy
First Time appeared Ninenines
Ninenines cowboy
Weaknesses CWE-770
CPEs cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*
Vendors & Products Ninenines
Ninenines cowboy
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ninenines Cowboy
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-14T04:30:32.552Z

Reserved: 2026-05-13T11:44:39.149Z

Link: CVE-2026-8466

cve-icon Vulnrichment

Updated: 2026-05-13T18:52:18.933Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T19:17:30.540

Modified: 2026-05-14T17:07:07.030

Link: CVE-2026-8466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:56Z

Weaknesses