PT-2026-57158 · Plug · Plug
Jonatan Männchen
+2
·
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-56814
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
plug versions 1.4.0 through 1.16.5
plug versions 1.17.0 through 1.17.3
plug versions 1.18.0 through 1.18.4
plug versions 1.19.0 through 1.19.4
plug versions 1.20.0 through 1.20.2
Description
The
Plug.Parsers.MULTIPART request-body parser, used for file uploads and multipart forms, fails to enforce the :length budget across all consumed resources. The parser only counts bytes in the part body, ignoring part header bytes and parts with empty bodies. An unauthenticated remote attacker can exploit this by sending a single request containing numerous empty-body file parts with a non-empty filename in the Content-Disposition. This process triggers the creation of a temporary file via Plug.Upload and retains a Plug.Upload struct for each part, leading to unbounded memory growth and exhaustion of disk space and inodes. The issue is linked to the file lib/plug/parsers/multipart.ex and the functions Plug.Parsers.MULTIPART.parse multipart/2, Plug.Parsers.MULTIPART.parse multipart headers/5, Plug.Parsers.MULTIPART.parse multipart body/4, and Plug.Parsers.MULTIPART.parse multipart file/4.Recommendations
Update plug to version 1.16.6 or later.
Update plug to version 1.17.4 or later.
Update plug to version 1.18.5 or later.
Update plug to version 1.19.5 or later.
Update plug to version 1.20.3 or later.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plug