{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bandit--1.4.0--1.11.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-39803"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["bandit (\u003e= 1.4.0, \u003c 1.11.1)"],"_cs_severities":["medium"],"_cs_tags":["dos","vulnerability","bandit"],"_cs_type":"advisory","_cs_vendors":["Erlang"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the Bandit HTTP/1 chunked-body reader. This vulnerability, discovered in May 2026, stems from the reader not respecting the configured request size cap (e.g., Plug.Parsers\u0026rsquo; default 8 MB length). An attacker can exploit this vulnerability by sending a single, unauthenticated \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e request to any URL of a Bandit-fronted Phoenix/Plug application. Due to the lack of size limiting in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e, the entire request body is buffered in memory, leading to BEAM out-of-memory (OOM) errors, effectively crashing the server. This issue impacts Bandit versions 1.4.0 through 1.11.0 and poses a significant risk to Phoenix applications using Bandit as their web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to any endpoint on a Bandit-fronted Phoenix application.\u003c/li\u003e\n\u003cli\u003eThe request includes the header \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e to trigger the vulnerable chunked-body reader in Bandit.\u003c/li\u003e\n\u003cli\u003eThe request also sets \u003ccode\u003eContent-Type\u003c/code\u003e to a type handled by \u003ccode\u003ePlug.Parsers\u003c/code\u003e (e.g., \u003ccode\u003eapplication/json\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBandit\u0026rsquo;s \u003ccode\u003eread_data/2\u003c/code\u003e function in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e is invoked to handle the chunked request body.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eread_data/2\u003c/code\u003e function calls \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e, but omits the configured \u003ccode\u003e:length\u003c/code\u003e cap.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e function recursively accumulates all chunks into an iolist.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eIO.iodata_to_binary/1\u003c/code\u003e then materializes the entire iolist as a single binary in memory.\u003c/li\u003e\n\u003cli\u003eThe BEAM process exhausts its memory, leading to an out-of-memory error and crashing the server, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability enables an unauthenticated pre-route denial-of-service attack via BEAM memory exhaustion. A single request from a single connection is sufficient to crash the server. This affects nearly every Phoenix application using Bandit, as \u003ccode\u003ePlug.Parsers\u003c/code\u003e is typically mounted ahead of routing and authentication, and the configured \u003ccode\u003elength:\u003c/code\u003e caps are ineffective on the chunked path. This can lead to significant service disruptions and downtime.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Bandit Chunked Request DoS Attempt\u003c/code\u003e to your SIEM to detect suspicious chunked requests.\u003c/li\u003e\n\u003cli\u003eUpgrade to Bandit version 1.11.1 or later to patch CVE-2026-39803.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for abnormally large chunked requests originating from single source IPs.\u003c/li\u003e\n\u003cli\u003eReview and adjust memory limits on your BEAM processes to mitigate the impact of potential memory exhaustion attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:25:16Z","date_published":"2026-05-19T19:25:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-dos/","summary":"Bandit's HTTP/1 chunked-body reader silently drops the request size cap, leading to excessive memory buffering. An unauthenticated attacker can crash Bandit-fronted Phoenix/Plug applications by sending a single 'Transfer-Encoding: chunked' request to any URL, causing BEAM memory exhaustion and a denial-of-service.","title":"Bandit HTTP/1 Chunked Request DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Bandit (\u003e= 1.4.0, \u003c 1.11.1)","version":"https://jsonfeed.org/version/1.1"}