mint is vulnerable to Denial of Service (DoS)
87
High Risk
Affected versions of mint are vulnerable to an unbounded-memory denial of service in the Mint.HTTP1 chunked response body decoder (decode_body/5 and add_body_to_buffer/2). When processing a Transfer-Encoding: chunked response, the library buffers every partial fragment of the current chunk in memory and does not emit data to the caller until the full declared chunk length has been received. Because chunk sizes are parsed from the server with no upper bound, a malicious or compromised remote server can announce an enormous chunk (for example, a size line of 7FFFFFFF, about 2 GiB) and then dribble body bytes without ever completing it, forcing the client to accumulate unbounded memory until an out-of-memory condition occurs. Unlike the content-length path, which streams data immediately, the chunked path gives callers no way to observe or bound memory growth.
You are affected if you are using a version that falls within the vulnerable range and your application uses Mint to fetch HTTP responses from remote servers, especially when following redirects, fetching user-supplied URLs, or processing webhooks.
mint is vulnerable to Denial of Service (DoS) in versions 0.5.0 - 1.9.0.
Upgrade the mint library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant