{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bandit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-39806"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["bandit (\u003e= 1.6.0, \u003c 1.11.1)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","bandit","chunked-transfer-encoding"],"_cs_type":"advisory","_cs_vendors":["erlang"],"content_html":"\u003cp\u003eA worker-pinning denial-of-service vulnerability exists in Bandit\u0026rsquo;s HTTP/1 chunked transfer decoder (CVE-2026-39806). The vulnerability affects Bandit versions 1.6.0 through 1.11.0. Any unauthenticated client sending a \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e request with a body ending with a trailer field causes the connection\u0026rsquo;s worker process to become stuck in an infinite recursion. This occurs because the \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e function in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e does not properly handle trailer fields in chunked requests, leading to repeated calls to \u003ccode\u003eread_available!/2\u003c/code\u003e without progress. A small number of concurrent connections can exhaust the listener pool, rendering the server unresponsive to further traffic. The vulnerability was introduced with commit e73e379ab59840e8561b5730878f16e29ab06217 on December 6, 2024.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends an HTTP POST request to the vulnerable Bandit server.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e header to indicate a chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eThe request body consists of at least one data chunk followed by the last-chunk marker \u003ccode\u003e0\\r\\n\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body then includes a trailer field, such as \u003ccode\u003eX-Trailer: value\\r\\n\u003c/code\u003e, after the last chunk marker.\u003c/li\u003e\n\u003cli\u003eThe request is terminated with \u003ccode\u003e\\r\\n\u003c/code\u003e to signal the end of the message.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e function in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e attempts to parse the chunked data.\u003c/li\u003e\n\u003cli\u003eDue to the presence of the trailer field, the function fails to match the terminator clause and enters the \u003ccode\u003e_ -\u0026gt;\u003c/code\u003e arm, leading to a negative \u003ccode\u003eto_read\u003c/code\u003e value and a call to \u003ccode\u003eread_available!/2\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe function tail-recurses with the same state, causing an infinite loop and pinning the worker process, ultimately leading to denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in an unauthenticated denial-of-service condition. A small number of attacker-controlled connections can exhaust the available worker pool, rendering the server unreachable for legitimate users. This impacts any Bandit-fronted HTTP/1 service that accepts chunked request bodies, including Phoenix and Plug applications. Servers behind proxies forwarding trailer-bearing requests are also vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch to upgrade to Bandit version 1.11.1 or later, which resolves the vulnerability (reference: \u003ca href=\"https://github.com/advisories/GHSA-rf5q-vwxw-gmrf)\"\u003ehttps://github.com/advisories/GHSA-rf5q-vwxw-gmrf)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Bandit Chunked Trailer DoS Attempt\u003c/code\u003e to identify requests exploiting this vulnerability in your environment (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests with \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e and trailer fields (reference: \u003ccode\u003ewebserver\u003c/code\u003e log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:26:58Z","date_published":"2026-05-19T19:26:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-trailer-dos/","summary":"Bandit versions 1.6.0 through 1.11.0 are vulnerable to an unauthenticated denial-of-service (CVE-2026-39806) via a chunked request with trailers, where sending a request with `Transfer-Encoding: chunked` and a trailer field causes the connection's worker process to spin forever in an infinite recursion, exhausting the listener pool and rendering the server unresponsive.","title":"Bandit HTTP/1 Chunked Request Trailer Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-trailer-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-39803"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["bandit (\u003e= 1.4.0, \u003c 1.11.1)"],"_cs_severities":["medium"],"_cs_tags":["dos","vulnerability","bandit"],"_cs_type":"advisory","_cs_vendors":["Erlang"],"content_html":"\u003cp\u003eA denial-of-service vulnerability exists in the Bandit HTTP/1 chunked-body reader. This vulnerability, discovered in May 2026, stems from the reader not respecting the configured request size cap (e.g., Plug.Parsers\u0026rsquo; default 8 MB length). An attacker can exploit this vulnerability by sending a single, unauthenticated \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e request to any URL of a Bandit-fronted Phoenix/Plug application. Due to the lack of size limiting in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e, the entire request body is buffered in memory, leading to BEAM out-of-memory (OOM) errors, effectively crashing the server. This issue impacts Bandit versions 1.4.0 through 1.11.0 and poses a significant risk to Phoenix applications using Bandit as their web server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to any endpoint on a Bandit-fronted Phoenix application.\u003c/li\u003e\n\u003cli\u003eThe request includes the header \u003ccode\u003eTransfer-Encoding: chunked\u003c/code\u003e to trigger the vulnerable chunked-body reader in Bandit.\u003c/li\u003e\n\u003cli\u003eThe request also sets \u003ccode\u003eContent-Type\u003c/code\u003e to a type handled by \u003ccode\u003ePlug.Parsers\u003c/code\u003e (e.g., \u003ccode\u003eapplication/json\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eBandit\u0026rsquo;s \u003ccode\u003eread_data/2\u003c/code\u003e function in \u003ccode\u003elib/bandit/http1/socket.ex\u003c/code\u003e is invoked to handle the chunked request body.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eread_data/2\u003c/code\u003e function calls \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e, but omits the configured \u003ccode\u003e:length\u003c/code\u003e cap.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edo_read_chunked_data!/5\u003c/code\u003e function recursively accumulates all chunks into an iolist.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eIO.iodata_to_binary/1\u003c/code\u003e then materializes the entire iolist as a single binary in memory.\u003c/li\u003e\n\u003cli\u003eThe BEAM process exhausts its memory, leading to an out-of-memory error and crashing the server, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability enables an unauthenticated pre-route denial-of-service attack via BEAM memory exhaustion. A single request from a single connection is sufficient to crash the server. This affects nearly every Phoenix application using Bandit, as \u003ccode\u003ePlug.Parsers\u003c/code\u003e is typically mounted ahead of routing and authentication, and the configured \u003ccode\u003elength:\u003c/code\u003e caps are ineffective on the chunked path. This can lead to significant service disruptions and downtime.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Bandit Chunked Request DoS Attempt\u003c/code\u003e to your SIEM to detect suspicious chunked requests.\u003c/li\u003e\n\u003cli\u003eUpgrade to Bandit version 1.11.1 or later to patch CVE-2026-39803.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for abnormally large chunked requests originating from single source IPs.\u003c/li\u003e\n\u003cli\u003eReview and adjust memory limits on your BEAM processes to mitigate the impact of potential memory exhaustion attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:25:16Z","date_published":"2026-05-19T19:25:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-dos/","summary":"Bandit's HTTP/1 chunked-body reader silently drops the request size cap, leading to excessive memory buffering. An unauthenticated attacker can crash Bandit-fronted Phoenix/Plug applications by sending a single 'Transfer-Encoding: chunked' request to any URL, causing BEAM memory exhaustion and a denial-of-service.","title":"Bandit HTTP/1 Chunked Request DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Bandit","version":"https://jsonfeed.org/version/1.1"}