PT-2026-56202 · Phoenix · Phoenix

Jonatan Männchen

+3

·

Published

2026-07-07

·

Updated

2026-07-07

·

CVE-2026-56812

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions phoenix versions 1.2.0-rc.0 through 1.5.14 phoenix versions 1.6.0-rc.0 through 1.6.16 phoenix versions 1.7.0-rc.0 through 1.7.23 phoenix versions 1.8.0-rc.0 through 1.8.8
Description The Presence JavaScript client in phoenix contains an improper check for unusual conditions that allows an attacker with ordinary channel access to cause a persistent client-side denial of service for all viewers of a presence channel topic. The issue resides in the assets/js/phoenix/presence.js file within the Presence.syncState() and Presence.syncDiff() routines. The client uses a bare truthiness test (state[key]) instead of an own-property check to verify if a presence exists. Since presence keys are attacker-controlled, a user can provide a key that matches an Object.prototype member name (such as proto, constructor, toString, or hasOwnProperty). This causes the lookup to return the built-in Object.prototype instead of undefined, leading the code to attempt to read .metas.map(...) from the prototype, which throws an uncaught TypeError. This exception prevents the local state from updating and stops onSync() from firing. Because the server continues to push the malicious key, the synchronization remains broken for all viewers of the topic until the attacker leaves. This is a read-time confusion of the prototype object and not prototype pollution.
Recommendations Update phoenix to version 1.5.15 or later. Update phoenix to version 1.6.17 or later. Update phoenix to version 1.7.24 or later. Update phoenix to version 1.8.9 or later.

Exploit

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56812

Affected Products

Phoenix