{"containers":{"cna":{"affected":[{"collectionURL":"https://repo.hex.pm","cpes":["cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Mint.HTTP1'"],"packageName":"mint","packageURL":"pkg:hex/mint","product":"mint","programFiles":["lib/mint/http1.ex"],"programRoutines":[{"name":"'Elixir.Mint.HTTP1':decode_body/5"},{"name":"'Elixir.Mint.HTTP1':add_body_to_buffer/2"}],"repo":"https://github.com/elixir-mint/mint","vendor":"elixir-mint","versions":[{"lessThan":"1.9.1","status":"affected","version":"0.5.0","versionType":"semver"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Mint.HTTP1'"],"packageName":"elixir-mint/mint","packageURL":"pkg:github/elixir-mint/mint","product":"mint","programFiles":["lib/mint/http1.ex"],"programRoutines":[{"name":"'Elixir.Mint.HTTP1':decode_body/5"},{"name":"'Elixir.Mint.HTTP1':add_body_to_buffer/2"}],"repo":"https://github.com/elixir-mint/mint","vendor":"elixir-mint","versions":[{"lessThan":"193ce714907d16e8adc4ab3c40e4f0c2f045b2a6","status":"affected","version":"c575d819d39ebf7e9b77ec24584a5ffbb11c844e","versionType":"git"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*","versionEndExcluding":"1.9.1","versionStartIncluding":"0.5.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"Peter Ullrich"},{"lang":"en","type":"remediation developer","value":"Andrea Leopardi"},{"lang":"en","type":"analyst","value":"Jonatan Männchen / EEF"},{"lang":"en","type":"analyst","value":"Eric Meadows-Jönsson"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (<tt>Mint.HTTP1</tt> module) allows a denial of service via an oversized <tt>chunked</tt> transfer-encoded response.</p><p>This vulnerability is associated with program files <tt>lib/mint/http1.ex</tt> and program routines <tt>'Elixir.Mint.HTTP1':decode_body/5</tt>, <tt>'Elixir.Mint.HTTP1':add_body_to_buffer/2</tt>.</p><p>When Mint decodes a <tt>chunked</tt> HTTP response body, it accumulates each partial fragment of the current chunk in the connection's <tt>data_buffer</tt> (an unbounded iolist) via <tt>add_body_to_buffer/2</tt> and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of <tt>7FFFFFFF</tt>, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large <tt>content-length</tt> bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition.</p><p>This issue affects mint: from 0.5.0 before 1.9.1.</p>"}],"value":"Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint (Mint.HTTP1 module) allows a denial of service via an oversized chunked transfer-encoded response.\n\nThis vulnerability is associated with program files lib/mint/http1.ex and program routines 'Elixir.Mint.HTTP1':decode_body/5, 'Elixir.Mint.HTTP1':add_body_to_buffer/2.\n\nWhen Mint decodes a chunked HTTP response body, it accumulates each partial fragment of the current chunk in the connection's data_buffer (an unbounded iolist) via add_body_to_buffer/2 and does not emit the data to the caller until the full declared chunk length has been received. The chunk size is taken directly from the server and parsed with no upper bound, so a malicious or compromised server can announce one enormous chunk (for example a size line of 7FFFFFFF, about 2 GiB) and then send the body bytes slowly without ever completing the chunk. The client buffers every received byte while it waits for a completion that never arrives, and because no data responses are produced until the chunk finishes, a caller that otherwise streams large content-length bodies safely gains no protection. An unauthenticated remote server (reachable whenever a client follows redirects, fetches user-supplied URLs, or processes webhooks) can drive the client's memory arbitrarily high and trigger an out-of-memory condition.\n\nThis issue affects mint: from 0.5.0 before 1.9.1."}],"impacts":[{"capecId":"CAPEC-130","descriptions":[{"lang":"en","value":"CAPEC-130 Excessive Allocation"}]}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"CWE-770 Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-06T09:17:17.429Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-c59h-fq4p-r36r"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-56810.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-56810"},{"tags":["patch"],"url":"https://github.com/elixir-mint/mint/commit/193ce714907d16e8adc4ab3c40e4f0c2f045b2a6"}],"source":{"discovery":"EXTERNAL"},"title":"mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5","x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-56810","datePublished":"2026-07-06T09:17:17.429Z","dateReserved":"2026-06-23T12:29:02.507Z","dateUpdated":"2026-07-06T09:17:17.429Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}