Intel

AIKIDO-2026-979167

plug is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-56814 Published 3 days ago

69

Medium Risk

This Affects:

ELIXIRplug
0.1.0 - 1.16.5
Fixed in 1.16.6
1.17.0 - 1.17.3
Fixed in 1.17.4
1.18.0 - 1.18.4
Fixed in 1.18.5
1.19.0 - 1.19.4
Fixed in 1.19.5
1.20.0 - 1.20.2
Fixed in 1.20.3
Are you affected? Scan for Free

TL;DR

Plug.Parsers.MULTIPART, the multipart request-body parser in the plug Elixir library that handles file uploads and multipart forms, does not charge its :length budget against file uploads. An unauthenticated remote attacker who can reach any multipart endpoint can send a single request composed of many empty-body file parts that stays well under the configured :length limit (8 MB by default), exhausting inodes and disk and growing memory (denial of service).

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

plug is vulnerable to Denial of Service (DoS) in versions 0.1.0 - 1.16.5, 1.17.0 - 1.17.3, 1.18.0 - 1.18.4, 1.19.0 - 1.19.4 and 1.20.0 - 1.20.2.

How to fix this

Upgrade the plug library to the patch version.