CVE ID :CVE-2026-8468<\/p>\n
Published : May 14, 2026, 10:29 a.m. | 28\u00a0minutes ago<\/p>\n
Description :Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.<\/p>\n
plug_multipart in src\/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation pattern is present in ‘Elixir.Plug.Conn’:read_part_headers\/2 in lib\/plug\/conn.ex: it accumulates incoming request bytes into a growing binary with no upper-bound check. When plug_multipart:parse_headers\/2 returns more or {more, Buffer}, the function reads up to 64 KB from the underlying socket and recurses with the enlarged buffer. There is no equivalent of the byte_size(acc) > length guard present in the sibling function read_part_body\/8. An unauthenticated attacker can send a multipart\/form-data request whose body never yields a complete header section \u2014 for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain rnrn \u2014 and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory.<\/p>\n
This issue affects plug from 1.4.0 before 1.15.4, 1.16.3, 1.17.1, 1.18.2, and 1.19.2.<\/p>\n
Severity: 8.2 | HIGH<\/p>\n
Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE ID :CVE-2026-8468 Published : May 14, 2026, 10:29 a.m. | 28\u00a0minutes ago Description :Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. plug_multipart in src\/plug_multipart.erl is a fork of the cow_multipart module from ninenines cowboy (CVE-2026-8466). The same unbounded accumulation …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-78471","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/78471","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=78471"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/78471\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=78471"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=78471"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=78471"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}