PT-2026-57158 · Plug · Plug

Jonatan Männchen

+2

·

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-56814

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions plug versions 1.4.0 through 1.16.5 plug versions 1.17.0 through 1.17.3 plug versions 1.18.0 through 1.18.4 plug versions 1.19.0 through 1.19.4 plug versions 1.20.0 through 1.20.2
Description The Plug.Parsers.MULTIPART request-body parser, used for file uploads and multipart forms, fails to enforce the :length budget across all consumed resources. The parser only counts bytes in the part body, ignoring part header bytes and parts with empty bodies. An unauthenticated remote attacker can exploit this by sending a single request containing numerous empty-body file parts with a non-empty filename in the Content-Disposition. This process triggers the creation of a temporary file via Plug.Upload and retains a Plug.Upload struct for each part, leading to unbounded memory growth and exhaustion of disk space and inodes. The issue is linked to the file lib/plug/parsers/multipart.ex and the functions Plug.Parsers.MULTIPART.parse multipart/2, Plug.Parsers.MULTIPART.parse multipart headers/5, Plug.Parsers.MULTIPART.parse multipart body/4, and Plug.Parsers.MULTIPART.parse multipart file/4.
Recommendations Update plug to version 1.16.6 or later. Update plug to version 1.17.4 or later. Update plug to version 1.18.5 or later. Update plug to version 1.19.5 or later. Update plug to version 1.20.3 or later.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56814
GHSA-95QV-C9G9-RM63

Affected Products

Plug