Plug: multipart :length limit is not charged for part headers, enabling unbounded temp-file creation (denial of service)

Summary

CVECVE-2026-56814
StatePUBLISHED
AssignerEEF
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-10 12:17:24 UTC
Updated2026-07-10 17:56:00 UTC
DescriptionPlug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero. Because every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP. This vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4. This issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.

Risk And Classification

Primary CVSS: v4.0 6.9 MEDIUM from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Problem Types: CWE-770 | CWE-770 CWE-770 Allocation of Resources Without Limits or Throttling


VersionSourceTypeScoreSeverityVector
4.06b3ad84c-e1a6-4bf7-a703-f496b71e49dbSecondary6.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/C...
4.0CNACVSS6.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
None
Availability
Low
Sub Conf.
None
Sub Integrity
None
Sub Availability
None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Elixir-plug Plug affected 1.4.0 1.16.6 semver Not specified
CNA Elixir-plug Plug affected 1.17.0 1.17.4 semver Not specified
CNA Elixir-plug Plug affected 1.18.0 1.18.5 semver Not specified
CNA Elixir-plug Plug affected 1.19.0 1.19.5 semver Not specified
CNA Elixir-plug Plug affected 1.20.0 1.20.3 semver Not specified
CNA Elixir-plug Plug affected c52b2f32c90bccd718202bafccb5f95594e30183 * git Not specified

References

ReferenceSourceLinkTags
github.com/elixir-plug/plug/commit/cae36053350e5215a4e0ca33cd130af9c5fc6364 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
github.com/elixir-plug/plug/commit/56edca2ce35fe5589cd581644d8a4493fa5f484e 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
osv.dev/vulnerability/EEF-CVE-2026-56814 6b3ad84c-e1a6-4bf7-a703-f496b71e49db osv.dev
github.com/elixir-plug/plug/commit/981597d3a4271ede64373c7a731702a42c500dd6 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
cna.erlef.org/cves/CVE-2026-56814.html 6b3ad84c-e1a6-4bf7-a703-f496b71e49db cna.erlef.org
github.com/elixir-plug/plug/commit/f7effaed811c00b5f5bf817936bfd9c5df27b7dc 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
github.com/elixir-plug/plug/commit/0ee8afcc61466dc5f7a8f048d0632c899165b81f 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
github.com/elixir-plug/plug/security/advisories/GHSA-95qv-c9g9-rm63 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
github.com/elixir-plug/plug/commit/df97d3f17f808a9916a7700a701fb85314559d56 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Peter Ullrich (en)

CNA: Jonatan Männchen (en)

CNA: José Valim (en)

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report