{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bandit--1.6.0--1.11.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-39806"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["bandit (\u003e= 1.6.0, \u003c 1.11.1)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","bandit","chunked-transfer-encoding"],"_cs_type":"advisory","_cs_vendors":["erlang"],"content_html":"\u003cp\u003eA worker-pinning denial-of-service vulnerability exists in Bandit\u0026rsquo;s HTTP/1 chunked transfer decoder (CVE-2026-39806). The vulnerability affects Bandit versions 1.6.0 through 1.11.0. Any unauthenticated client sending a \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e request with a body ending with a trailer field causes the connection\u0026rsquo;s worker process to become stuck in an infinite recursion. This occurs because the \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e function in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e does not properly handle trailer fields in chunked requests, leading to repeated calls to \u003ccode\u003eread_available!/2\u003c/code\u003e without progress. A small number of concurrent connections can exhaust the listener pool, rendering the server unresponsive to further traffic. The vulnerability was introduced with commit e73e379ab59840e8561b5730878f16e29ab06217 on December 6, 2024.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an HTTP POST request to the vulnerable Bandit server.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e header to indicate a chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eThe request body consists of at least one data chunk followed by the last-chunk marker \u003ccode\u003e0\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body then includes a trailer field, such as \u003ccode\u003eX-Trailer: value\\r\\n\u003c/code\u003e, after the last chunk marker.\u003c/li\u003e\n\u003cli\u003eThe request is terminated with \u003ccode\u003e\\r\\n\u003c/code\u003e to signal the end of the message.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e function in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e attempts to parse the chunked data.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the trailer field, the function fails to match the terminator clause and enters the \u003ccode\u003e_ -\u0026gt;\u003c/code\u003e arm, leading to a negative \u003ccode\u003eto_read\u003c/code\u003e value and a call to \u003ccode\u003eread_available!/2\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe function tail-recurses with the same state, causing an infinite loop and pinning the worker process, ultimately leading to denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in an unauthenticated denial-of-service condition. A small number of attacker-controlled connections can exhaust the available worker pool, rendering the server unreachable for legitimate users. This impacts any Bandit-fronted HTTP/1 service that accepts chunked request bodies, including Phoenix and Plug applications. Servers behind proxies forwarding trailer-bearing requests are also vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch to upgrade to Bandit version 1.11.1 or later, which resolves the vulnerability (reference: \u003ca href=\"https://github.com/advisories/GHSA-rf5q-vwxw-gmrf)\"\u003ehttps://github.com/advisories/GHSA-rf5q-vwxw-gmrf)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Bandit Chunked Trailer DoS Attempt\u003c/code\u003e to identify requests exploiting this vulnerability in your environment (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests with \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e and trailer fields (reference: \u003ccode\u003ewebserver\u003c/code\u003e log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:26:58Z","date_published":"2026-05-19T19:26:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-trailer-dos/","summary":"Bandit versions 1.6.0 through 1.11.0 are vulnerable to an unauthenticated denial-of-service (CVE-2026-39806) via a chunked request with trailers, where sending a request with `Transfer-Encoding: chunked` and a trailer field causes the connection's worker process to spin forever in an infinite recursion, exhausting the listener pool and rendering the server unresponsive.","title":"Bandit HTTP/1 Chunked Request Trailer Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-trailer-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Bandit (\u003e= 1.6.0, \u003c 1.11.1)","version":"https://jsonfeed.org/version/1.1"}