{"affected":[{"package":{"ecosystem":"Hex","name":"cowboy","purl":"pkg:hex/cowboy"},"ranges":[{"events":[{"introduced":"2.0.0"},{"fixed":"2.15.0"}],"type":"SEMVER"}],"versions":["2.0.0","2.1.0","2.2.0","2.2.1","2.2.2","2.3.0","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3","2.7.0","2.8.0","2.9.0","2.10.0","2.11.0","2.12.0","2.13.0","2.14.0","2.14.1","2.14.2"]},{"ranges":[{"events":[{"introduced":"917cf99e10c41676183d501b86af6e47c95afb89"},{"fixed":"5c6a2061b41bb5771c4659fac7d5a822dca5bafb"}],"repo":"https://github.com/ninenines/cowboy","type":"GIT"}]}],"aliases":["CVE-2026-8466"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Loïc Hoguin","type":"REMEDIATION_DEVELOPER"}],"database_specific":{"capec_ids":["CAPEC-130"],"cpe_ids":["cpe:2.3:a:ninenines:cowboy:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-770"]},"details":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\ncowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \\r\\n\\r\\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.\n\nThis issue affects cowboy from 2.0.0 before 2.15.0.\n\n## Configuration\n\nThe application must expose an HTTP endpoint that calls cowboy_req:read_part/1,2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected.","id":"EEF-CVE-2026-8466","modified":"2026-05-13T18:26:21.089Z","published":"2026-05-13T18:26:21.089Z","references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8466.html"},{"type":"FIX","url":"https://github.com/ninenines/cowboy/commit/5c6a2061b41bb5771c4659fac7d5a822dca5bafb"},{"type":"PACKAGE","url":"https://hex.pm/packages/cowboy"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Unbounded buffer accumulation in multipart header parsing causes denial of service in cowboy","upstream":[]}