{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/phoenix/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-32689"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Phoenix"],"_cs_severities":["medium"],"_cs_tags":["dos","phoenix","webserver"],"_cs_type":"advisory","_cs_vendors":["Erlang"],"content_html":"\u003cp\u003eA denial-of-service vulnerability has been identified in the long-poll transport mechanism of the Phoenix framework. This vulnerability, designated as CVE-2026-32689, allows an unauthenticated remote attacker to cause a significant memory allocation on the server by sending malicious HTTP requests. The flaw stems from an unoptimized code path in the \u003ccode\u003eapplication/x-ndjson\u003c/code\u003e POST handling within the LongPoll transport. Since obtaining a session token requires only a GET request with a matching \u003ccode\u003eOrigin\u003c/code\u003e header, exploitation is unauthenticated. This issue has been present in newly generated Phoenix projects since version 1.7.11, potentially exposing a wide range of applications to denial-of-service attacks. The affected versions are Phoenix versions \u0026gt;= 1.7.0 and \u0026lt; 1.7.22, as well as \u0026gt;= 1.8.0 and \u0026lt; 1.8.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an HTTP GET request to the long-poll endpoint with a valid \u003ccode\u003eOrigin\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe server responds with a session token.\u003c/li\u003e\n\u003cli\u003eAttacker sends multiple concurrent HTTP POST requests with the \u003ccode\u003eapplication/x-ndjson\u003c/code\u003e content type to the long-poll endpoint, including the session token.\u003c/li\u003e\n\u003cli\u003eThe server receives the POST requests and processes them through the unoptimized code path in the LongPoll transport.\u003c/li\u003e\n\u003cli\u003eThe server allocates a large amount of memory for each request due to the NDJSON body splitting.\u003c/li\u003e\n\u003cli\u003eThe memory consumption increases rapidly as the attacker sends more requests.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s memory resources are exhausted, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access the application due to the server\u0026rsquo;s unavailability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a complete denial-of-service, rendering Phoenix-based applications unresponsive. Applications using LiveView with public Longpoll sockets or \u003ccode\u003ePhoenix.Socket\u003c/code\u003e with the longpoll option are vulnerable. Because longpoll has been enabled by default in Phoenix projects since version 1.7.11, many applications are likely affected. The impact is a temporary outage, potentially leading to data loss or service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Phoenix version 1.7.22 or 1.8.6 or later to patch CVE-2026-32689 and mitigate the denial-of-service vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-32689 Exploitation Attempt — High Volume NDJSON POST Requests\u0026rdquo; to identify potential exploitation attempts by monitoring for a high volume of \u003ccode\u003eapplication/x-ndjson\u003c/code\u003e POST requests to the long-poll endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for an unusual number of POST requests with the \u003ccode\u003eapplication/x-ndjson\u003c/code\u003e content type, looking for potential indicators of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-phoenix-longpoll-dos/","summary":"An unauthenticated denial-of-service vulnerability in Phoenix's long-poll transport allows a remote client to exhaust server memory by sending a series of crafted HTTP requests, affecting LiveView apps with a public Longpoll socket or Phoenix.Socket with longpoll option.","title":"Phoenix Long-Poll Transport Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-11-phoenix-longpoll-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Phoenix","version":"https://jsonfeed.org/version/1.1"}