CVE-2026-39806— Bandit 安全漏洞

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

N/A

不可达退出条件的循环(无限循环)

Bandit 安全漏洞

Bandit是Mat Trudel个人开发者的一款高性能HTTP与WebSocket服务器。 Bandit 1.6.1版本至1.11.1之前版本存在安全漏洞，该漏洞源于无限循环，可能导致未经身份验证的远程攻击者通过工作进程耗尽造成拒绝服务。

N/A

N/A