CVE-2026-39803— HTTP/1 chunked body reader ignores length cap in bandit
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39803
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTTP/1 chunked body reader ignores length cap in bandit
Source: NVD (National Vulnerability Database)
Vulnerability Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers' default 8 MB), do_read_chunked_data!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response. Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer. The content-length path in the same function correctly enforces the limit and is not affected. This issue affects bandit: from 1.4.0 before 1.11.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
Bandit 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Bandit是Mat Trudel个人开发者的一款高性能HTTP与WebSocket服务器。 Bandit 1.4.0版本至1.11.1之前版本存在安全漏洞,该漏洞源于资源分配无限制,可能导致未经身份验证的远程攻击者通过内存耗尽造成拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-39803
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39803
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: bandit
- CVE-2026-39806
HTTP/1 chunked decoder infinite loop on requests with traile - CVE-2026-39805
CL.CL HTTP request smuggling via duplicate Content-Length in - CVE-2026-39804
WebSocket permessage-deflate inflate has no output-size cap - CVE-2026-39807
Client-supplied URI scheme trusted without transport verific - CVE-2026-42786
WebSocket fragmented message reassembly unbounded in bandit
Same vendor: mtrudel
- CVE-2026-39806
HTTP/1 chunked decoder infinite loop on requests with traile - CVE-2026-39805
CL.CL HTTP request smuggling via duplicate Content-Length in - CVE-2026-39804
WebSocket permessage-deflate inflate has no output-size cap - CVE-2026-39807
Client-supplied URI scheme trusted without transport verific - CVE-2026-42786
WebSocket fragmented message reassembly unbounded in bandit
Same weakness: CWE-770
- CVE-2021-47959
WordPress Plugin WPGraphQL 1.3.5 Denial of Service - CVE-2026-44679
Tuist: Forgot password flow lacks throttling for reset email - CVE-2026-44216
Wasmtime: Panic when allocating a table exceeding the size o - CVE-2026-8468
Unbounded buffer accumulation in multipart header parsing ca - CVE-2025-14870
Allocation of Resources Without Limits or Throttling in GitL
V. Comments for CVE-2026-39803
No comments yet