Home

Description

Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP server to exhaust memory on the client host and cause a denial of service. The Mint.HTTP1.decode_headers/5 and Mint.HTTP1.decode_trailer_headers/4 functions in lib/mint/http1.ex accumulate every parsed response header and chunked-trailer field into a per-request list that persists across incoming TCP segments as request.headers_buffer, and only clear it when the terminating blank line is received. The section has no cap on the number of headers or on total bytes, and the underlying :erlang.decode_packet(:httph_bin, binary, []) parser is invoked with an empty option list so its per-line and per-packet size limits also default to unlimited. A malicious HTTP server (reachable directly, via an attacker-controlled redirect, via SSRF, or via a man-in-the-middle) can stream complete header lines (or, after a chunked body, complete trailer lines) indefinitely without ever emitting the terminating blank line. The connection state grows without bound until the BEAM node is killed by the operating system's out-of-memory handler, taking down the entire application that uses Mint as an HTTP client. This issue affects mint: from 0.1.0 before 1.9.2.

PUBLISHED Reserved 2026-06-29 | Published 2026-07-14 | Updated 2026-07-14 | Assigner EEF




HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-770 Allocation of Resources Without Limits or Throttling

Product status

Default status
unaffected

0.1.0 (semver) before 1.9.2
affected

Default status
unaffected

3e6de4bac4821b0eb4d6109e8b1f3fb6458792c8 (git) before 566d702e6f29105f77522ca7aabb9f64f2f4e333
affected

Credits

zx (Jace) finder

Andrea Leopardi remediation developer

Eric Meadows-Jönsson remediation reviewer

Jonatan Männchen / EEF analyst

References

github.com/...t/mint/security/advisories/GHSA-qrfr-wh4c-3qhw exploit

github.com/...t/mint/security/advisories/GHSA-qrfr-wh4c-3qhw vendor-advisory related

cna.erlef.org/cves/CVE-2026-58229.html related

osv.dev/vulnerability/EEF-CVE-2026-58229 related

github.com/...ommit/566d702e6f29105f77522ca7aabb9f64f2f4e333 patch

cve.org (CVE-2026-58229)

nvd.nist.gov (CVE-2026-58229)

Download JSON