This vulnerability in phoenixframework phoenix affects the long-poll transport's NDJSON body handling in the function Elixir.Phoenix.Transports.LongPoll:publish/4. When processing a POST request with Content-Type application/x-ndjson, the request body is split on newline characters without limiting the number of segments. An attacker can exploit this by sending a body composed entirely of newline bytes, causing a large amplification in the number of list elements created. For example, a 1 MB body can produce approximately one million list elements, and an 8 MB body about 8.4 million. This leads to excessive memory and scheduler consumption on the BEAM virtual machine, crashing the node and terminating all active sessions. The session token required to access this endpoint can be obtained unauthenticated via a GET request with a matching Origin header, making the attack effectively unauthenticated. Affected versions include phoenix 1.7.0 through before 1.7.22 and 1.8.6.

Successful exploitation results in denial of service by exhausting BEAM memory and schedulers, causing the phoenix node to crash and all active sessions to terminate. This disrupts availability of services relying on the affected phoenixframework versions. The attack requires no authentication, increasing the risk of exploitation. There are no known exploits in the wild as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are provided in the available data. Until a patch is available, consider implementing request size limits or throttling on the long-poll transport endpoint to mitigate excessive resource consumption. Monitor vendor communications for updates on official fixes.