{"affected":[{"package":{"ecosystem":"Hex","name":"plug","purl":"pkg:hex/plug"},"ranges":[{"events":[{"introduced":"1.4.0"},{"fixed":"1.15.4"}],"type":"SEMVER"},{"events":[{"introduced":"1.16.0"},{"fixed":"1.16.3"}],"type":"SEMVER"},{"events":[{"introduced":"1.17.0"},{"fixed":"1.17.1"}],"type":"SEMVER"},{"events":[{"introduced":"1.18.0"},{"fixed":"1.18.2"}],"type":"SEMVER"},{"events":[{"introduced":"1.19.0"},{"fixed":"1.19.2"}],"type":"SEMVER"}],"versions":["1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.5.0-rc.0","1.5.0-rc.1","1.5.0-rc.2","1.5.0","1.5.1","1.6.0","1.6.1","1.6.2","1.6.3","1.6.4","1.7.0","1.7.1","1.7.2","1.8.0","1.8.1","1.8.2","1.8.3","1.9.0","1.10.0","1.10.1","1.10.2","1.10.3","1.10.4","1.11.0","1.11.1","1.12.0","1.12.1","1.13.0","1.13.1","1.13.2","1.13.3","1.13.4","1.13.5","1.13.6","1.14.0","1.14.1","1.14.2","1.15.0","1.15.1","1.15.2","1.15.3","1.16.0","1.16.1","1.16.2","1.17.0","1.18.0","1.18.1","1.19.0","1.19.1"]},{"ranges":[{"events":[{"introduced":"c52b2f32c90bccd718202bafccb5f95594e30183"},{"fixed":"2cb7958d33030aa826b0c7404375844d4593d43a"},{"fixed":"aa69c5ece99c40ded88b8c6581ecc86664b0b734"},{"fixed":"d5dfffe25e975585227b1b85d247b0d14164bc45"},{"fixed":"df812a1527bae9e941965e897308a2b8bbf83a94"},{"fixed":"33858427c7f2737d560a2e40a0c9a9270d77d1d7"}],"repo":"https://github.com/elixir-plug/plug","type":"GIT"}]}],"aliases":["GHSA-468c-vq7p-gh64","CVE-2026-8468"],"credits":[{"name":"José Valim","type":"FINDER"},{"name":"José Valim","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-130"],"cpe_ids":["cpe:2.3:a:plug_project:plug:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-770"]},"details":"## Summary\n\nAllocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.\n\n'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service.\n\nThis issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.\n\n## Configuration\n\nThe application must use Plug.Parsers with the :multipart parser, or otherwise call Plug.Conn.read_part_headers/2 to process multipart/form-data request bodies. Deployments that do not handle multipart uploads are not affected.","id":"EEF-CVE-2026-8468","modified":"2026-05-15T04:33:16.325Z","published":"2026-05-14T10:29:51.062Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-plug/plug/security/advisories/GHSA-468c-vq7p-gh64"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8468.html"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-8466.html"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/2cb7958d33030aa826b0c7404375844d4593d43a"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/aa69c5ece99c40ded88b8c6581ecc86664b0b734"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/d5dfffe25e975585227b1b85d247b0d14164bc45"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/df812a1527bae9e941965e897308a2b8bbf83a94"},{"type":"FIX","url":"https://github.com/elixir-plug/plug/commit/33858427c7f2737d560a2e40a0c9a9270d77d1d7"},{"type":"PACKAGE","url":"https://hex.pm/packages/plug"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Unbounded buffer accumulation in multipart header parsing causes denial of service in plug","upstream":[]}