PT-2026-56201 · Phoenix · Phoenix
Jonatan Männchen
+3
·
Published
2026-07-07
·
Updated
2026-07-07
·
CVE-2026-56811
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
phoenix versions 0.11.0 through 1.5.14
phoenix versions 1.6.0-rc.0 through 1.6.16
phoenix versions 1.7.0-rc.0 through 1.7.23
phoenix versions 1.8.0-rc.0 through 1.8.8
Description
An unauthenticated attacker can cause a denial of service against any endpoint mounting a Phoenix socket with a reachable channel transport, such as WebSocket or LongPoll. The issue resides in the
Elixir.Phoenix.Socket:handle in/4 routine within the lib/phoenix/socket.ex file. Because Phoenix transports do not limit the number of channels a single transport process can join, a client can send an unbounded number of phx join messages over one connection. This spawns excessive channel processes, potentially exhausting the BEAM maximum process limit and preventing the virtual machine from starting new processes for legitimate traffic. This amplification occurs within a single connection, rendering network-layer connection caps and rate limiting ineffective.Recommendations
Update phoenix to version 1.5.15 or later.
Update phoenix to version 1.6.17 or later.
Update phoenix to version 1.7.24 or later.
Update phoenix to version 1.8.9 or later.
Configure the
:max channels per transport option to bound the number of channels a single transport process can join.Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phoenix