The vulnerability arises from the function 'Elixir.Bandit.Pipeline':determine_scheme/2, which returns the client-supplied URI scheme verbatim, ignoring whether the transport is actually secure. Attackers can exploit this by sending HTTP/1.1 absolute-form requests or HTTP/2 :scheme pseudo-headers over plaintext TCP connections, causing bandit to incorrectly set conn.scheme to :https. This misrepresentation leads downstream Plug consumers, such as Plug.SSL, to skip necessary HTTPS redirects, send cookies with the secure flag over plaintext, and produce inaccurate audit logs. The flaw is classified as CWE-807 (Reliance on Untrusted Inputs in a Security Decision) and affects bandit versions from 1.0.0 up to but not including 1.11.0.

An attacker can cause the server and downstream components to believe a plaintext HTTP connection is secure HTTPS, leading to insecure cookie transmission, bypass of HTTPS enforcement mechanisms, and inaccurate security logging. This undermines transport security assumptions and may facilitate further attacks relying on these incorrect security decisions. However, exploitation requires control over the client request and only affects plaintext HTTP connections.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid relying solely on conn.scheme for security decisions on plaintext HTTP connections. Consider additional validation of transport security outside of client-supplied scheme values or enforce TLS to prevent plaintext connections. Monitor vendor communications for updates and patches addressing this issue.