Denial of Service Vulnerability in Plug Parser for Multipart File Uploads
CVE-2026-56814
6.9MEDIUM
What is CVE-2026-56814?
The vulnerability in the multipart request-body parser used by Plug allows unauthenticated remote attackers to trigger denial of service by sending a crafted request with multiple empty body parts. This causes inode and disk exhaustion due to the creation of temporary files, without the size of part headers being counted against the configured length budget. Hence, applications utilizing Plug.Parsers with multipart parsing may experience unbounded memory growth and performance degradation.
Affected Version(s)
plug 1.4.0 < 1.16.6
plug 1.17.0 < 1.17.4
plug 1.18.0 < 1.18.5
