{"affected":[{"package":{"ecosystem":"Hex","name":"mint","purl":"pkg:hex/mint"},"ranges":[{"events":[{"introduced":"0.1.0"},{"fixed":"1.9.2"}],"type":"SEMVER"}],"versions":["0.1.0","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.6.0","1.6.1","1.6.2","1.7.0","1.7.1","1.8.0","1.9.0","1.9.1"]},{"ranges":[{"events":[{"introduced":"3e6de4bac4821b0eb4d6109e8b1f3fb6458792c8"},{"fixed":"566d702e6f29105f77522ca7aabb9f64f2f4e333"}],"repo":"https://github.com/elixir-mint/mint","type":"GIT"}]}],"aliases":["GHSA-qrfr-wh4c-3qhw","CVE-2026-58229"],"credits":[{"name":"zx (Jace)","type":"FINDER"},{"name":"Andrea Leopardi","type":"REMEDIATION_DEVELOPER"},{"name":"Eric Meadows-Jönsson","type":"REMEDIATION_REVIEWER"},{"name":"Jonatan Männchen / EEF","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-130"],"cpe_ids":["cpe:2.3:a:elixir-mint:mint:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-770"]},"details":"## Summary\n\nAllocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP server to exhaust memory on the client host and cause a denial of service.\n\nThe Mint.HTTP1.decode\\_headers/5 and Mint.HTTP1.decode\\_trailer\\_headers/4 functions in lib/mint/http1.ex accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers\\_buffer, and only clear it when the terminating blank line is received. The section has no cap on the number of headers or on total bytes, and the underlying :erlang.decode\\_packet(:httph\\_bin, binary, \\[\\]) parser is invoked with an empty option list so its per-line and per-packet size limits also default to unlimited.\n\nA malicious HTTP server (reachable directly, via an attacker-controlled redirect, via SSRF, or via a man-in-the-middle) can stream complete header lines (or, after a chunked body, complete trailer lines) indefinitely without ever emitting the terminating blank line. The connection state grows without bound until the BEAM node is killed by the operating system's out-of-memory handler, taking down the entire application that uses Mint as an HTTP client.\n\nThis issue affects mint: from 0.1.0 before 1.9.2.","id":"EEF-CVE-2026-58229","modified":"2026-07-14T08:36:54.616Z","published":"2026-07-14T08:36:54.616Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-mint/mint/security/advisories/GHSA-qrfr-wh4c-3qhw"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-58229.html"},{"type":"FIX","url":"https://github.com/elixir-mint/mint/commit/566d702e6f29105f77522ca7aabb9f64f2f4e333"},{"type":"PACKAGE","url":"https://hex.pm/packages/mint"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Unbounded HTTP/1 response-header and chunked-trailer accumulation in Mint causes memory-exhaustion DoS","upstream":[]}