CVE-2026-39803

Name of the Vulnerable Software and Affected Versions bandit versions 1.4.0 through 1.11.0

Description An unauthenticated remote attacker can cause a denial of service via memory exhaustion. The read data/2 function in Elixir.Bandit.HTTP1.Socket ignores the :length option when processing HTTP/1 chunked request bodies. Specifically, the do read chunked data!/5 function buffers every received chunk into an iolist without capping the accumulated body at the configured limit, materializing the entire body as a single binary. Since this process occurs before routing and authentication in standard Phoenix endpoints, sending a single POST request with a Transfer-Encoding: chunked header and an arbitrarily large body can exhaust the BEAM process memory, leading to termination by the operating system's Out-Of-Memory (OOM) killer.

Recommendations Update bandit to version 1.11.1.