Threat Advisory

Plug Vulnerability Causes Unauthenticated Denial of Service

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-8468 with a CVSS score of 8.2 is a denial-of-service vulnerability in the Erlang plug framework, specifically in the 'Elixir.Plug.Conn':read_part_headers/2 function. This vulnerability affects the plug package in versions greater than or equal to 1.4.0 and less than 1.15.4, 1.16.0 to 1.16.3, 1.17.0 to 1.17.1, 1.18.0 to 1.18.2, and 1.19.0 to 1.19.2. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted multipart/form-data request, causing an unbounded buffer accumulation in multipart header parsing, which leads to exhaustion of server memory and a denial-of-service condition. The attacker requires only a remote connection to trigger the issue, with no special privileges necessary. If exploited, the attacker gains the capability to cause a denial-of-service, resulting in business impact and consequences including downtime, lost productivity, and potential financial losses, assuming prerequisites such as a vulnerable plug package installation and a crafted multipart/form-data request are met.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-8468 with a CVSS score of 8.2 is a denial-of-service vulnerability in the Erlang plug framework, specifically in the 'Elixir.Plug.Conn':read_part_headers/2 function. This vulnerability affects the plug package in versions greater than or equal to 1.4.0 and less than 1.15.4, 1.16.0 to 1.16.3, 1.17.0 to 1.17.1, 1.18.0 to 1.18.2, and 1.19.0 to 1.19.2. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted multipart/form-data request, causing an unbounded buffer accumulation in multipart header parsing, which leads to exhaustion of server memory and a denial-of-service condition. The attacker requires only a remote connection to trigger the issue, with no special privileges necessary. If exploited, the attacker gains the capability to cause a denial-of-service, resulting in business impact and consequences including downtime, lost productivity, and potential financial losses, assuming prerequisites such as a vulnerable plug package installation and a crafted multipart/form-data request are met.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update erlang/plug to version 1.15.4 or 1.16.3 or 1.17.1 or 1.18.2 or 1.19.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-468c-vq7p-gh64

[/emaillocker]
crossmenu