Intel

AIKIDO-2026-755588

mint is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-56810 Published 2 days ago

87

High Risk

This Affects:

elixirmint
0.5.0 - 1.9.0
Fixed in 1.9.1
Are you affected? Scan for Free

TL;DR

Affected versions of mint are vulnerable to an unbounded-memory denial of service in the Mint.HTTP1 chunked response body decoder (decode_body/5 and add_body_to_buffer/2). When processing a Transfer-Encoding: chunked response, the library buffers every partial fragment of the current chunk in memory and does not emit data to the caller until the full declared chunk length has been received. Because chunk sizes are parsed from the server with no upper bound, a malicious or compromised remote server can announce an enormous chunk (for example, a size line of 7FFFFFFF, about 2 GiB) and then dribble body bytes without ever completing it, forcing the client to accumulate unbounded memory until an out-of-memory condition occurs. Unlike the content-length path, which streams data immediately, the chunked path gives callers no way to observe or bound memory growth.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses Mint to fetch HTTP responses from remote servers, especially when following redirects, fetching user-supplied URLs, or processing webhooks.

Background info

mint is vulnerable to Denial of Service (DoS) in versions 0.5.0 - 1.9.0.

How to fix this

Upgrade the mint library to the patch version.