CVE-2026-8468
Unbounded buffer accumulation in multipart header parsing causes denial of service in plug
Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex does not obey its :length parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function read_part_body has an explicit byte_size(acc) > length guard that stops accumulation once a limit is reached. No such guard exists in read_part_headers. An unauthenticated remote attacker can exhaust server memory by sending a crafted multipart/form-data request, causing a denial of service. This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.
| CWE | CWE-770 |
| Vendor | elixir-plug |
| Product | plug |
| Published | May 14, 2026 |
| Last Updated | May 14, 2026 |
Get instant alerts for elixir-plug plug
Be the first to know when new unknown vulnerabilities affecting elixir-plug plug are published — delivered to Slack, Telegram or Discord.