CVE-2026-39806

Name of the Vulnerable Software and Affected Versions bandit versions 1.6.1 through 1.11.0

Description An infinite loop in the do read chunked data!/5 function within lib/bandit/http1/socket.ex allows unauthenticated remote attackers to cause a denial of service via worker process exhaustion. The issue occurs because the function only terminates when the last-chunk line is immediately followed by an empty trailer line, whereas RFC 9112 §7.1.2 allows for zero or more trailer fields. When trailers are present, the process enters a state where it tail-recurses with unchanged state, pinning the worker process for the duration of the TCP connection. A small number of concurrent RFC-conformant chunked requests containing trailer fields can exhaust the worker pool, rendering the server unresponsive. This can occur even with legitimate traffic forwarded by proxies like NGINX and HAProxy.

Recommendations Update bandit to version 1.11.1.