CVE-2026-8466: CWE-770 Allocation of Resources Without Limits or Throttling in ninenines cowboy
Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects cowboy from 2.0.0 before 2.15.0.
AI Analysis
Technical Summary
The vulnerability in cowboy (versions 2.0.0 to before 2.15.0) is due to the function cowboy_req:read_part/3 accumulating incoming request bytes into a buffer without enforcing an upper bound. When parsing multipart headers, if the request body never yields a complete header section (e.g., missing boundary delimiters or header line terminators), the server process continues to accumulate memory linearly with incoming bytes. This can be exploited by unauthenticated attackers sending crafted multipart/form-data requests to exhaust BEAM memory, causing denial of service. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).
Potential Impact
An attacker can cause a denial of service by sending multipart/form-data requests that prevent completion of header parsing, leading to unbounded memory consumption in the server process. This can exhaust the BEAM virtual machine memory, potentially causing service disruption or crashes. The vulnerability does not require authentication and can be triggered remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing external request size limits or rate limiting at the network or proxy level to mitigate potential exploitation. Monitor for unusual memory usage patterns in cowboy server processes. Avoid exposing vulnerable versions to untrusted networks if possible.
CVE-2026-8466: CWE-770 Allocation of Resources Without Limits or Throttling in ninenines cowboy
Description
Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects cowboy from 2.0.0 before 2.15.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in cowboy (versions 2.0.0 to before 2.15.0) is due to the function cowboy_req:read_part/3 accumulating incoming request bytes into a buffer without enforcing an upper bound. When parsing multipart headers, if the request body never yields a complete header section (e.g., missing boundary delimiters or header line terminators), the server process continues to accumulate memory linearly with incoming bytes. This can be exploited by unauthenticated attackers sending crafted multipart/form-data requests to exhaust BEAM memory, causing denial of service. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).
Potential Impact
An attacker can cause a denial of service by sending multipart/form-data requests that prevent completion of header parsing, leading to unbounded memory consumption in the server process. This can exhaust the BEAM virtual machine memory, potentially causing service disruption or crashes. The vulnerability does not require authentication and can be triggered remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing external request size limits or rate limiting at the network or proxy level to mitigate potential exploitation. Monitor for unusual memory usage patterns in cowboy server processes. Avoid exposing vulnerable versions to untrusted networks if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-13T11:44:39.149Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04c4b8cbff5d8610fad362
Added to database: 5/13/2026, 6:36:40 PM
Last enriched: 5/13/2026, 6:51:20 PM
Last updated: 5/13/2026, 7:44:08 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.