Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1.Socket':read_data/2 in lib/bandit/http1/socket.ex ignores the caller-supplied :length option when reading HTTP/1 chunked request bodies. Instead of capping the accumulated body at the configured limit (e.g. Plug.Parsers' default 8 MB), do_read_chunked_data!/5 buffers every received chunk into an iolist unconditionally and materializes the entire body as a single binary. The function always returns {:ok, body, ...}, so callers cannot interpose a 413 response. Because Plug.Parsers runs before routing and authentication in the standard Phoenix endpoint, an unauthenticated attacker needs no valid route or credentials. Sending a single Transfer-Encoding: chunked POST request with an arbitrarily large body to any path causes the BEAM process to exhaust available memory and be terminated by the OS OOM killer. The content-length path in the same function correctly enforces the limit and is not affected. This issue affects bandit: from 1.4.0 before 1.11.1.

• https://cna.erlef.org/cves/CVE-2026-39803.html
• https://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab
• https://github.com/mtrudel/bandit/security/advisories/GHSA-9q9q-324x-93r2
• https://osv.dev/vulnerability/EEF-CVE-2026-39803
• https://github.com/mtrudel/bandit/security/advisories/GHSA-9q9q-324x-93r2

• Mtrudel » Bandit » Version: 1.10.0
  cpe:2.3:a:mtrudel:bandit:1.10.0
• Mtrudel » Bandit » Version: 1.10.1
  cpe:2.3:a:mtrudel:bandit:1.10.1
• Mtrudel » Bandit » Version: 1.10.2
  cpe:2.3:a:mtrudel:bandit:1.10.2
• Mtrudel » Bandit » Version: 1.10.3
  cpe:2.3:a:mtrudel:bandit:1.10.3
• Mtrudel » Bandit » Version: 1.10.4
  cpe:2.3:a:mtrudel:bandit:1.10.4
• Mtrudel » Bandit » Version: 1.11.0
  cpe:2.3:a:mtrudel:bandit:1.11.0
• Mtrudel » Bandit » Version: 1.4.0
  cpe:2.3:a:mtrudel:bandit:1.4.0
• Mtrudel » Bandit » Version: 1.4.1
  cpe:2.3:a:mtrudel:bandit:1.4.1
• Mtrudel » Bandit » Version: 1.4.2
  cpe:2.3:a:mtrudel:bandit:1.4.2
• Mtrudel » Bandit » Version: 1.5.0
  cpe:2.3:a:mtrudel:bandit:1.5.0
• Mtrudel » Bandit » Version: 1.5.1
  cpe:2.3:a:mtrudel:bandit:1.5.1
• Mtrudel » Bandit » Version: 1.5.2
  cpe:2.3:a:mtrudel:bandit:1.5.2
• Mtrudel » Bandit » Version: 1.5.3
  cpe:2.3:a:mtrudel:bandit:1.5.3
• Mtrudel » Bandit » Version: 1.5.4
  cpe:2.3:a:mtrudel:bandit:1.5.4
• Mtrudel » Bandit » Version: 1.5.5
  cpe:2.3:a:mtrudel:bandit:1.5.5
• Mtrudel » Bandit » Version: 1.5.6
  cpe:2.3:a:mtrudel:bandit:1.5.6
• Mtrudel » Bandit » Version: 1.5.7
  cpe:2.3:a:mtrudel:bandit:1.5.7
• Mtrudel » Bandit » Version: 1.6.0
  cpe:2.3:a:mtrudel:bandit:1.6.0
• Mtrudel » Bandit » Version: 1.6.1
  cpe:2.3:a:mtrudel:bandit:1.6.1
• Mtrudel » Bandit » Version: 1.6.10
  cpe:2.3:a:mtrudel:bandit:1.6.10
• Mtrudel » Bandit » Version: 1.6.11
  cpe:2.3:a:mtrudel:bandit:1.6.11
• Mtrudel » Bandit » Version: 1.6.2
  cpe:2.3:a:mtrudel:bandit:1.6.2
• Mtrudel » Bandit » Version: 1.6.3
  cpe:2.3:a:mtrudel:bandit:1.6.3
• Mtrudel » Bandit » Version: 1.6.4
  cpe:2.3:a:mtrudel:bandit:1.6.4
• Mtrudel » Bandit » Version: 1.6.5
  cpe:2.3:a:mtrudel:bandit:1.6.5
• Mtrudel » Bandit » Version: 1.6.6
  cpe:2.3:a:mtrudel:bandit:1.6.6
• Mtrudel » Bandit » Version: 1.6.7
  cpe:2.3:a:mtrudel:bandit:1.6.7
• Mtrudel » Bandit » Version: 1.6.8
  cpe:2.3:a:mtrudel:bandit:1.6.8
• Mtrudel » Bandit » Version: 1.6.9
  cpe:2.3:a:mtrudel:bandit:1.6.9
• Mtrudel » Bandit » Version: 1.7.0
  cpe:2.3:a:mtrudel:bandit:1.7.0
• Mtrudel » Bandit » Version: 1.8.0
  cpe:2.3:a:mtrudel:bandit:1.8.0
• Mtrudel » Bandit » Version: 1.9.0
  cpe:2.3:a:mtrudel:bandit:1.9.0