PT-2026-40905 · Plug · Plug
Jonatan Männchen
+1
·
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2026-8468
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
plug versions 1.4.0 through 1.15.3
plug version 1.16.3
plug version 1.17.1
plug version 1.18.2
plug version 1.19.2
Description
An unbounded buffer accumulation issue exists during multipart header parsing. The function
read part headers/2 in lib/plug/conn.ex fails to obey its :length parameter and lacks an upper bound on the size of the accumulated buffer. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request where the body never yields a complete header section, such as by omitting the boundary delimiter or the r r sequence. This causes the server process to accumulate memory linearly, potentially leading to a denial of service by exhausting BEAM memory.Recommendations
Update plug to version 1.15.4 or newer.
Update plug to a version later than 1.16.3.
Update plug to a version later than 1.17.1.
Update plug to a version later than 1.18.2.
Update plug to a version later than 1.19.2.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plug