https://feed.craftedsignal.io/tags/bandit/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 19 May 2026 19:26:58 +0000https://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-trailer-dos/Tue, 19 May 2026 19:26:58 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-trailer-dos/Bandit versions 1.6.0 through 1.11.0 are vulnerable to an unauthenticated denial-of-service (CVE-2026-39806) via a chunked request with trailers, where sending a request with `Transfer-Encoding: chunked` and a trailer field causes the connection's worker process to spin forever in an infinite recursion, exhausting the listener pool and rendering the server unresponsive.A worker-pinning denial-of-service vulnerability exists in Bandit’s HTTP/1 chunked transfer decoder (CVE-2026-39806). The vulnerability affects Bandit versions 1.6.0 through 1.11.0. Any unauthenticated client sending a Transfer-Encoding: chunked request with a body ending with a trailer field causes the connection’s worker process to become stuck in an infinite recursion. This occurs because the do_read_chunked_data!/5 function in lib/bandit/http1/socket.ex does not properly handle trailer fields in chunked requests, leading to repeated calls to read_available!/2 without progress. A small number of concurrent connections can exhaust the listener pool, rendering the server unresponsive to further traffic. The vulnerability was introduced with commit e73e379ab59840e8561b5730878f16e29ab06217 on December 6, 2024.

Attack Chain

1. An attacker sends an HTTP POST request to the vulnerable Bandit server.
2. The request includes the Transfer-Encoding: chunked header to indicate a chunked transfer encoding.
3. The request body consists of at least one data chunk followed by the last-chunk marker 0\r\n.
4. The request body then includes a trailer field, such as X-Trailer: value\r\n, after the last chunk marker.
5. The request is terminated with \r\n to signal the end of the message.
6. The do_read_chunked_data!/5 function in lib/bandit/http1/socket.ex attempts to parse the chunked data.
7. Due to the presence of the trailer field, the function fails to match the terminator clause and enters the _ -> arm, leading to a negative to_read value and a call to read_available!/2.
8. The function tail-recurses with the same state, causing an infinite loop and pinning the worker process, ultimately leading to denial of service.

Impact

Successful exploitation results in an unauthenticated denial-of-service condition. A small number of attacker-controlled connections can exhaust the available worker pool, rendering the server unreachable for legitimate users. This impacts any Bandit-fronted HTTP/1 service that accepts chunked request bodies, including Phoenix and Plug applications. Servers behind proxies forwarding trailer-bearing requests are also vulnerable.

Recommendation

• Apply the vendor-supplied patch to upgrade to Bandit version 1.11.1 or later, which resolves the vulnerability (reference: https://github.com/advisories/GHSA-rf5q-vwxw-gmrf).
• Deploy the Sigma rule Detect Bandit Chunked Trailer DoS Attempt to identify requests exploiting this vulnerability in your environment (reference: Sigma rule below).
• Monitor web server logs for HTTP POST requests with Transfer-Encoding: chunked and trailer fields (reference: webserver log source).

]]>mediumadvisorydenial-of-servicebanditchunked-transfer-encodinghttps://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-dos/Tue, 19 May 2026 19:25:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-bandit-chunked-dos/Bandit's HTTP/1 chunked-body reader silently drops the request size cap, leading to excessive memory buffering. An unauthenticated attacker can crash Bandit-fronted Phoenix/Plug applications by sending a single 'Transfer-Encoding: chunked' request to any URL, causing BEAM memory exhaustion and a denial-of-service.A denial-of-service vulnerability exists in the Bandit HTTP/1 chunked-body reader. This vulnerability, discovered in May 2026, stems from the reader not respecting the configured request size cap (e.g., Plug.Parsers’ default 8 MB length). An attacker can exploit this vulnerability by sending a single, unauthenticated Transfer-Encoding: chunked request to any URL of a Bandit-fronted Phoenix/Plug application. Due to the lack of size limiting in lib/bandit/http1/socket.ex, the entire request body is buffered in memory, leading to BEAM out-of-memory (OOM) errors, effectively crashing the server. This issue impacts Bandit versions 1.4.0 through 1.11.0 and poses a significant risk to Phoenix applications using Bandit as their web server.

Attack Chain

1. The attacker sends an HTTP POST request to any endpoint on a Bandit-fronted Phoenix application.
2. The request includes the header Transfer-Encoding: chunked to trigger the vulnerable chunked-body reader in Bandit.
3. The request also sets Content-Type to a type handled by Plug.Parsers (e.g., application/json).
4. Bandit’s read_data/2 function in lib/bandit/http1/socket.ex is invoked to handle the chunked request body.
5. The read_data/2 function calls do_read_chunked_data!/5, but omits the configured :length cap.
6. The do_read_chunked_data!/5 function recursively accumulates all chunks into an iolist.
7. IO.iodata_to_binary/1 then materializes the entire iolist as a single binary in memory.
8. The BEAM process exhausts its memory, leading to an out-of-memory error and crashing the server, resulting in a denial of service.

Impact

This vulnerability enables an unauthenticated pre-route denial-of-service attack via BEAM memory exhaustion. A single request from a single connection is sufficient to crash the server. This affects nearly every Phoenix application using Bandit, as Plug.Parsers is typically mounted ahead of routing and authentication, and the configured length: caps are ineffective on the chunked path. This can lead to significant service disruptions and downtime.

Recommendation

• Deploy the Sigma rule Detect Bandit Chunked Request DoS Attempt to your SIEM to detect suspicious chunked requests.
• Upgrade to Bandit version 1.11.1 or later to patch CVE-2026-39803.
• Monitor network traffic for abnormally large chunked requests originating from single source IPs.
• Review and adjust memory limits on your BEAM processes to mitigate the impact of potential memory exhaustion attacks.

]]>mediumadvisorydosvulnerabilitybandit