{"affected":[{"package":{"ecosystem":"Hex","name":"plug","purl":"pkg:hex/plug"},"ranges":[{"events":[{"introduced":"1.4.0"},{"fixed":"1.16.6"}],"type":"SEMVER"},{"events":[{"introduced":"1.17.0"},{"fixed":"1.17.4"}],"type":"SEMVER"},{"events":[{"introduced":"1.18.0"},{"fixed":"1.18.5"}],"type":"SEMVER"},{"events":[{"introduced":"1.19.0"},{"fixed":"1.19.5"}],"type":"SEMVER"},{"events":[{"introduced":"1.20.0"},{"fixed":"1.20.3"}],"type":"SEMVER"}],"versions":["1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.5.0-rc.0","1.5.0-rc.1","1.5.0-rc.2","1.5.0","1.5.1","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.7.0","1.7.1","1.7.2","1.8.0","1.8.1","1.8.2","1.8.3","1.9.0","1.10.0","1.10.1","1.10.2","1.10.3","1.10.4","1.11.0","1.11.1","1.12.0","1.12.1","1.13.0","1.13.1","1.13.2","1.13.3","1.13.4","1.13.5","1.13.6","1.14.0","1.14.1","1.14.2","1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.15.5","1.15.6","1.16.0","1.16.1","1.16.2","1.16.3","1.16.4","1.16.5","1.17.0","1.17.1","1.17.2","1.17.3","1.18.0","1.18.1","1.18.2","1.18.3","1.18.4","1.19.0","1.19.1","1.19.2","1.19.3","1.19.4","1.20.0","1.20.1","1.20.2"]},{"ranges":[{"events":[{"introduced":"c52b2f32c90bccd718202bafccb5f95594e30183"},{"fixed":"981597d3a4271ede64373c7a731702a42c500dd6"},{"fixed":"56edca2ce35fe5589cd581644d8a4493fa5f484e"},{"fixed":"0ee8afcc61466dc5f7a8f048d0632c899165b81f"},{"fixed":"cae36053350e5215a4e0ca33cd130af9c5fc6364"},{"fixed":"f7effaed811c00b5f5bf817936bfd9c5df27b7dc"},{"fixed":"df97d3f17f808a9916a7700a701fb85314559d56"}],"repo":"https://github.com/elixir-plug/plug","type":"GIT"}]}],"aliases":["GHSA-95qv-c9g9-rm63","CVE-2026-56814"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Jonatan Männchen","type":"ANALYST"},{"name":"José Valim","type":"REMEDIATION_DEVELOPER"}],"database_specific":{"capec_ids":["CAPEC-130"],"cpe_ids":["cpe:2.3:a:elixir-plug:plug:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-770"]},"details":"## Summary\n\nPlug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.\n\nBecause every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.\n\nThis vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse\\_multipart/2, Plug.Parsers.MULTIPART.parse\\_multipart\\_headers/5, Plug.Parsers.MULTIPART.parse\\_multipart\\_body/4, and Plug.Parsers.MULTIPART.parse\\_multipart\\_file/4.\n\nThis issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.","id":"EEF-CVE-2026-56814","modified":"2026-07-10T14:41:43.299Z","published":"2026-07-10T11:14:35.574Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-plug/plug/security/advisories/GHSA-95qv-c9g9-rm63"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-56814.html"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/981597d3a4271ede64373c7a731702a42c500dd6"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/56edca2ce35fe5589cd581644d8a4493fa5f484e"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/0ee8afcc61466dc5f7a8f048d0632c899165b81f"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/cae36053350e5215a4e0ca33cd130af9c5fc6364"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/f7effaed811c00b5f5bf817936bfd9c5df27b7dc"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/df97d3f17f808a9916a7700a701fb85314559d56"},{"type":"PACKAGE","url":"https://hex.pm/packages/plug"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)","upstream":[]}