CVE-2026-32689
published 2026-05-05CVE-2026-32689: Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON…
PriorityP355high8.7CVSS 4.0
AVNACLATNPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.47%
37.1th percentile
Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling.
In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries — a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions.
A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated.
This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phoenixframework | phoenix | >= 1.7.0 < 1.7.22 | 1.7.22 |
| phoenixframework | phoenix | >= 1.7.0 < 1.7.22 | 1.7.22 |
| phoenixframework | phoenix | >= 1.8.0 < 1.8.6 | 1.8.6 |
| phoenixframework | phoenix | >= 1.8.0 < 1.8.6 | 1.8.6 |
| phoenixframework | phoenix | >= 2674c6ea30634667f9b09966b90269393b445953 < * | * |
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Phoenix: Long-poll NDJSON body splitting causes large memory allocation
ghsa·2026-05-08·CVSS 8.7
CVE-2026-32689 [HIGH] CWE-770 Phoenix: Long-poll NDJSON body splitting causes large memory allocation
Phoenix: Long-poll NDJSON body splitting causes large memory allocation
### Summary
An unauthenticated denial-of-service vulnerability in Phoenix's long-poll transport allows a remote client to allocate a large amount of memory with a HTTP request. A handful of concurrent requests can be sufficient to let the node run out of memory.
See also https://cna.erlef.org/cves/CVE-2026-32689.html.
### Details
The unoptimised code path exists on the `application/x-ndjson` POST handling in the LongPoll transport. The endpoint requires only a session token, which any client can obtain by issuing a GET to the same URL with a matching `Origin` header, so exploitation is unauthenticated.
### Impact
Anyone who runs a LiveView app with a public Longpoll socket or uses a `Phoenix.Socket` with longpol
VulDB
phoenixframework phoenix up to 1.7.21/1.8.5 Elixir.Phoenix.Transports.LongPoll allocation of resources (GHSA-628h-q48j-jr6q)
vuldb·2026-05-05·CVSS 8.7
CVE-2026-32689 [HIGH] phoenixframework phoenix up to 1.7.21/1.8.5 Elixir.Phoenix.Transports.LongPoll allocation of resources (GHSA-628h-q48j-jr6q)
A vulnerability, which was classified as problematic, was found in phoenixframework phoenix up to 1.7.21/1.8.5. Affected by this vulnerability is the function Elixir.Phoenix.Transports.LongPoll. Executing a manipulation can lead to allocation of resources.
The identification of this vulnerability is CVE-2026-32689. The attack may be launched remotely. There is no exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cna.erlef.org/cves/CVE-2026-32689.htmlhttps://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bfhttps://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6qhttps://osv.dev/vulnerability/EEF-CVE-2026-32689
2026-05-05
Published