The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected.
" } ], "value": "The application must accept WebSocket connections. Applications that expose no WebSocket endpoints are not affected." } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.0", "versionStartIncluding": "0.5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ], "operator": "AND" } ], "credits": [ { "lang": "en", "type": "finder", "value": "Peter Ullrich" }, { "lang": "en", "type": "remediation developer", "value": "Mat Trudel" }, { "lang": "en", "type": "analyst", "value": "Jonatan Männchen" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.The fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.
Because the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.
This issue affects bandit: from 0.5.0 before 1.11.0.
" } ], "value": "Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.\n\nThe fragment reassembly path in 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 in lib/bandit/websocket/connection.ex appends every incoming Continuation{fin: false} frame's payload to a per-connection iolist with no cumulative size cap. The existing max_frame_size option only bounds individual frames; a peer that streams an unbounded number of continuation frames without ever setting fin=1 grows BEAM heap linearly until the OS or a supervisor kills the process.\n\nBecause the accumulation happens before WebSock.handle_in/2 is called, the application has no opportunity to interpose a size check. Phoenix Channels and LiveView both run over WebSock on Bandit, so a stock Phoenix application exposes this surface as soon as it accepts socket connections.\n\nThis issue affects bandit: from 0.5.0 before 1.11.0." } ], "impacts": [ { "capecId": "CAPEC-130", "descriptions": [ { "lang": "en", "value": "CAPEC-130 Excessive Allocation" } ] } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-05-02T04:17:26.677Z" }, "references": [ { "tags": [ "vendor-advisory", "related" ], "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p" }, { "tags": [ "related" ], "url": "https://cna.erlef.org/cves/CVE-2026-42786.html" }, { "tags": [ "related" ], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-42786" }, { "tags": [ "patch" ], "url": "https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667" } ], "source": { "discovery": "EXTERNAL" }, "title": "WebSocket fragmented message reassembly unbounded in bandit", "x_generator": { "engine": "cvelib 1.8.0" } }, "adp": [ { "references": [ { "url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p", "tags": [ "exploit" ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-02T01:15:58.376139Z", "id": "CVE-2026-42786", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-02T01:16:39.704Z" } } ] } }