CVE-2026-49754
HTTP/2 CONTINUATION flood in Mint client via unbounded header-block accumulation
Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood). When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity). A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient. This issue affects mint: from 0.1.0 before 1.9.0.
| CWE | CWE-770 |
| Vendor | elixir-mint |
| Product | mint |
| Published | Jun 2, 2026 |
| Last Updated | Jun 2, 2026 |
Get instant alerts for elixir-mint mint
Be the first to know when new unknown vulnerabilities affecting elixir-mint mint are published — delivered to Slack, Telegram or Discord.