AIKIDO-2026-10750
phoenix is vulnerable to Denial of Service
87
High Risk
This Affects:
phoenixTL;DR
Affected versions of this package contain an unauthenticated denial-of-service vulnerability in the LongPoll transport. The application/x-ndjson POST handling allows a remote attacker to trigger excessive memory allocation with crafted requests. Because only a session token is required—and can be obtained via a simple GET request—this can be exploited without authentication.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
phoenix is vulnerable to Denial of Service in versions 1.7.0 - 1.7.21 and 1.8.0 - 1.8.5.
How to fix this
Upgrade the phoenix library to the patch version.
Links
Fix Commits
github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bfOther
github.com/phoenixframework/phoenix/blob/HEAD/CHANGELOG.md#186-2026-05-05
cna.erlef.org/cves/CVE-2026-32689.htmlosv.dev/vulnerability/EEF-CVE-2026-32689
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant