The vulnerability CVE-2026-39803 in mtrudel bandit is due to improper handling of HTTP/1 chunked request bodies in the function Elixir.Bandit.HTTP1.Socket:read_data/2. Specifically, the :length option that should limit the size of the accumulated request body is ignored when reading chunked transfer encoding data. Instead, all chunks are buffered into an iolist and then converted into a single binary without enforcing size limits. Because Plug.Parsers processes the request body before routing and authentication, an unauthenticated attacker can send a single chunked POST request with an arbitrarily large body to any endpoint, causing the BEAM process to exhaust system memory and be killed by the OS. The content-length request handling path correctly enforces limits and is not vulnerable. This issue affects bandit versions starting from 1.4.0 up to but not including 1.11.1. There is no vendor advisory or patch information currently available.

An unauthenticated remote attacker can cause a denial of service by sending a single HTTP/1 chunked POST request with an arbitrarily large body to any path served by the vulnerable bandit versions. This leads to memory exhaustion in the BEAM process running bandit, resulting in process termination by the operating system's out-of-memory killer. This disrupts service availability and can cause downtime until the process is restarted. No authentication or valid routing is required to exploit this vulnerability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing network-level protections such as limiting request sizes or blocking chunked transfer encoding requests at a reverse proxy or firewall to mitigate exploitation risk. Monitor for updates from the mtrudel bandit project regarding patches or official mitigations.