CVE-2026-32689

EPSS 0.47%
Veröffentlicht 05.05.2026 16:16:11
Zuletzt bearbeitet 05.05.2026 19:37:28
Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
CVE-Watchlists
Login
Unerledigt
Login

Long-poll NDJSON body splitting causes unbounded memory allocation in Phoenix

Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling.

In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries — a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.

A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.

This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

CNA 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerphoenixframework

≫

Produkt phoenix

Default Statusunaffected

Version 1.7.0

Version < 1.7.22

Status affected

Version 1.8.0

Version < 1.8.6

Status affected

Herstellerphoenixframework

≫

Produkt phoenix

Default Statusunaffected

Version 2674c6ea30634667f9b09966b90269393b445953

Version < *

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.47%	0.368

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://cna.erlef.org/cves/CVE-2026-32689.html

https://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7

https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bf

https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q

https://osv.dev/vulnerability/EEF-CVE-2026-32689

https://nvd.nist.gov/vuln/detail/CVE-2026-32689

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32689

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32689

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32689