Weakness Type (CWE)

CWE-770 — CWE-770 Allocation of Resources Without Limits or Throttling

CAPEC

CVSS 4.0 Score

8.2

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability description

Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.

This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.

Affected

pkg:hex/plug

Module Source File Routine
Elixir.Plug.Conn lib/plug/conn.ex Plug.Conn.read_part_headers/2
Status Type Version Changes / Fixed in
affected semver 1.4.0 < 1.15.4
affected semver 1.16.0 < 1.16.3
affected semver 1.17.0 < 1.17.1
affected semver 1.18.0 < 1.18.2
affected semver 1.19.0 < 1.19.2

pkg:github/elixir-plug/plug

Module Source File Routine
Elixir.Plug.Conn lib/plug/conn.ex Plug.Conn.read_part_headers/2
Status Type Version Changes / Fixed in
affected git c52b2f32c9

Configurations

The application must use Plug.Parsers with the :multipart parser, or otherwise call Plug.Conn.read_part_headers/2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected.

References

Credits

  • Finder: José Valim
  • Remediation developer: José Valim
  • Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-8468.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-8468.json