PT-2026-57991 · Unknown · Elixir-Mint

Andrea Leopardi

+1

·

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-58229

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions elixir-mint versions 0.1.0 through 1.9.1
Description A remote HTTP server can cause a denial of service by exhausting memory on the client host. The Mint.HTTP1.decode headers/5 and Mint.HTTP1.decode trailer headers/4 functions accumulate parsed response headers and chunked-trailer fields into a per-request list request.headers buffer that persists across TCP segments. Because there is no cap on the number of headers or total bytes, and the :erlang.decode packet(:httph bin, binary, []) parser is used with unlimited default size limits, a malicious server can stream header or trailer lines indefinitely without sending the terminating blank line. This causes the connection state to grow without bound until the BEAM node is terminated by the operating system's out-of-memory handler.
Recommendations Update elixir-mint to version 1.9.2 or later.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58229

Affected Products

Elixir-Mint