GHSA-q8x4-x7mp-5vg2
Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion
상세
## Summary
An unauthenticated remote denial-of-service vulnerability in `Plug.Cowboy.Conn` allows any attacker who can reach an HTTPS Plug.Cowboy listener via HTTP/2 to permanently exhaust the BEAM atom table and crash the entire Erlang VM.
## Am I Affected?
All users running plug_cowboy with HTTP/2 may be affected, this includes Phoenix applications. If another HTTP adapter such as Bandit is used, then the consuming project is not affected. If the HTTP/2 endpoint is exposed directly (without a proxy) then the project will be affected. If a proxy is in use then it depends on the proxy configuration. Many proxies use HTTP/1.1 internally, and would be unaffected.
## Impact
The vulnerability will allow crashing the Erlang VM (BEAM) via atom exhaustion.
## Mitigation
Users are advised to update to plug_cowboy v2.8.1 to mitigate this issue.
## Credits Plug.Cowboy thanks Peter Ullrich for finding and responsibly disclosing this vulnerability.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-32688 [ADVISORY]
- https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b [WEB]
- https://cna.erlef.org/cves/CVE-2026-32688.html [WEB]
- https://github.com/elixir-plug/plug_cowboy [PACKAGE]
- https://osv.dev/vulnerability/EEF-CVE-2026-32688 [WEB]