HTTP/1 chunked decoder infinite loop on requests with trailer fields...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.

'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is followed immediately by the empty trailer line \r\n. RFC 9112 §7.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.

A handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.

This issue affects bandit: from 1.6.1 before 1.11.1.

AI Analysis

Infinite Loop vulnerability in bandit allowing unauthenticated remote denial of service via worker process exhaustion

Basic Information

ID CVE-2026-39806

Source EEF

Published May 13, 2026 at 13:36

Modified May 13, 2026 at 14:36

Affected Product

Vendor mtrudel

Product bandit

Version 1.6.1

Affected Versions mtrudel bandit 1.6.1
mtrudel bandit e73e379ab59840e8561b5730878f16e29ab06217

CWE Classification

CWE-835

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor mtrudel

Product bandit

Version 1.6.1 to 1.11.0

References

{
    "lastseen": "",
    "description": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.\n\n'Elixir.Bandit.HTTP1.Socket':do_read_chunked_data!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\\r\\n is followed immediately by the empty trailer line \\r\\n. RFC 9112 \u00a77.1.2 permits zero or more trailer fields between them. When trailers are present, none of the match clauses fit: the catch-all arm computes a negative to_read, calls read_available!/2, receives <<>> on timeout, and tail-recurses with unchanged state. The worker process is pinned for the lifetime of the TCP connection.\n\nA handful of concurrent connections sending RFC-conformant chunked requests with trailer fields is sufficient to exhaust the Bandit worker pool and render the server unresponsive to all further traffic. No authentication, special headers, or large payload is required. Proxies such as NGINX and HAProxy legitimately forward trailer-bearing requests, so servers behind such proxies may be affected without any malicious client involvement.\n\nThis issue affects bandit: from 1.6.1 before 1.11.1.",
    "published": "2026-05-13T13:36:17.806Z",
    "modified": "2026-05-13T14:36:34.475Z",
    "type": "cve",
    "title": "HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit",
    "source": "EEF",
    "references": "https://github.com/mtrudel/bandit/security/advisories/GHSA-rf5q-vwxw-gmrf\nhttps://cna.erlef.org/cves/CVE-2026-39806.html\nhttps://osv.dev/vulnerability/EEF-CVE-2026-39806\nhttps://github.com/mtrudel/bandit/commit/ae3520dfdbfab115c638f8c7f6f6b805db34e1ab",
    "id": "CVE-2026-39806",
    "bulletinFamily": "",
    "cwe": [
        "CWE-835"
    ],
    "cvelist": null,
    "sourceData": "mtrudel bandit 1.6.1\nmtrudel bandit e73e379ab59840e8561b5730878f16e29ab06217",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "bandit",
    "version": "1.6.1",
    "vendor": "mtrudel",
    "ai_description": "Infinite Loop vulnerability in bandit allowing unauthenticated remote denial of service via worker process exhaustion",
    "ai_severity": "High",
    "ai_vendor": "mtrudel",
    "ai_product": "bandit",
    "ai_version": "1.6.1 to 1.11.0",
    "ai_score": 8.7
}

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit_CVE-2026-39806