Description
Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
Published: 2026-05-14
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Elixir.Plug.Conn.read_part_headers/2 ignores its :length parameter, allowing unbounded accumulation of multipart headers. Because no size limit is enforced, a crafted multipart/form-data request can fill the BEAM memory of the handling process until it crashes, resulting in denial of service. This is a classic case of Unbounded Resource Consumption (CWE‑770).

Affected Systems

The vulnerability is present in plug versions from 1.4.0 through 1.15.4, as well as 1.16.3, 1.17.1, 1.18.2, and 1.19.2. The affected software is the plug library (elixir‑plug:plug) used in Elixir applications.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity of impact. Although the EPSS score is not available, the ecological lack of exploitation data does not diminish the potential threat; an unauthenticated attacker can trigger the effect simply by sending a crafted multipart request. The CVE is not listed in the CISA KEV catalog, but the attack requires only network connectivity and imposes no authentication or privilege prerequisites.

Generated by OpenCVE AI on May 14, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade plug to the latest released version (e.g., 1.20.0 or newer) from Hex.
  • Configure BEAM memory limits (e.g., vm_procs, max_heap_size) to constrain the amount of RAM a process can consume during multipart parsing.
  • Limit concurrent multipart uploads at the application or reverse‑proxy level to reduce the number of processes that can accumulate memory at the same time.

Generated by OpenCVE AI on May 14, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-468c-vq7p-gh64 Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service
History

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Elixir-plug
Elixir-plug plug Cowboy
Vendors & Products Elixir-plug
Elixir-plug plug Cowboy

Thu, 14 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. plug_multipart in src/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation pattern is present in 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex: it accumulates incoming request bytes into a growing binary with no upper-bound check. When plug_multipart:parse_headers/2 returns more or {more, Buffer}, the function reads up to 64 KB from the underlying socket and recurses with the enlarged buffer. There is no equivalent of the byte_size(acc) > length guard present in the sibling function read_part_body/8. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2. Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

Thu, 14 May 2026 10:45:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. plug_multipart in src/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation pattern is present in 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex: it accumulates incoming request bytes into a growing binary with no upper-bound check. When plug_multipart:parse_headers/2 returns more or {more, Buffer}, the function reads up to 64 KB from the underlying socket and recurses with the enlarged buffer. There is no equivalent of the byte_size(acc) > length guard present in the sibling function read_part_body/8. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
Title Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
First Time appeared Plug Project
Plug Project plug
Weaknesses CWE-770
CPEs cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*
Vendors & Products Plug Project
Plug Project plug
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-plug Plug Cowboy
Plug Project Plug
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:29.241Z

Reserved: 2026-05-13T11:44:42.164Z

Link: CVE-2026-8468

cve-icon Vulnrichment

Updated: 2026-05-14T17:54:03.803Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T11:16:18.900

Modified: 2026-05-14T17:07:07.030

Link: CVE-2026-8468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:32:47Z

Weaknesses