Resource exhaustion in Elixir-plug Plug

CVE-2026-8468

Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing. 'Elixir.Plug.Conn':read_part_headers/2 in lib/plug/conn.ex doe…

EPSS: 0.003 (50.5th percentile) — read the EPSS interpretation.

Affected products

Elixir-plug Plug — versions 1.4.0, 1.16.0, 1.17.0

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related, vendor-advisory)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (related)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)
6b3ad84c-e1a6-4bf7-a703-f496b71e49db (patch)