PT-2026-57991 · Unknown · Elixir-Mint
Andrea Leopardi
+1
·
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-58229
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
elixir-mint versions 0.1.0 through 1.9.1
Description
A remote HTTP server can cause a denial of service by exhausting memory on the client host. The
Mint.HTTP1.decode headers/5 and Mint.HTTP1.decode trailer headers/4 functions accumulate parsed response headers and chunked-trailer fields into a per-request list request.headers buffer that persists across TCP segments. Because there is no cap on the number of headers or total bytes, and the :erlang.decode packet(:httph bin, binary, []) parser is used with unlimited default size limits, a malicious server can stream header or trailer lines indefinitely without sending the terminating blank line. This causes the connection state to grow without bound until the BEAM node is terminated by the operating system's out-of-memory handler.Recommendations
Update elixir-mint to version 1.9.2 or later.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elixir-Mint