CVE-2026-32689
Denial of Service in Phoenix Framework via NDJSON Handling
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phoenixframework | phoenix | From 1.7.0 (inc) to 1.7.22 (exc) |
| phoenixframework | phoenix | 1.8.6 |
| phoenixframework | phoenix | to 1.7.22 (exc) |
| phoenixframework | phoenix | to 1.8.6 (exc) |
| phoenixframework | phoenix | 1.7.22 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32689 is a vulnerability in the Phoenix framework's long-poll transport mechanism, specifically in the handling of NDJSON (newline-delimited JSON) request bodies. When a POST request with Content-Type application/x-ndjson is received, the server splits the request body on newline characters without any limit on the number of resulting segments. An attacker can exploit this by sending a body consisting entirely of newline bytes, causing a massive amplification in memory usage as the body is split into millions of empty elements.
This excessive memory allocation exhausts the BEAM virtual machine's memory and schedulers, crashing the node and terminating all active sessions. The attack is unauthenticated because session tokens required to reach the vulnerable endpoint can be obtained by any client via an unauthenticated GET request with a matching Origin header.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-32689 is a denial-of-service vulnerability that allows unauthenticated attackers to exhaust system memory and crash the Phoenix framework node by sending specially crafted NDJSON payloads. This can lead to service unavailability.
While the vulnerability primarily impacts system availability, it does not directly disclose or manipulate sensitive data. However, denial of service incidents can indirectly affect compliance with standards like GDPR and HIPAA, which require maintaining availability and integrity of systems processing personal or protected health information.
Organizations relying on Phoenix framework for critical applications should consider this vulnerability as a risk to service continuity, which is a component of compliance frameworks. Failure to mitigate such denial-of-service risks could lead to non-compliance with availability requirements in these regulations.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by exhausting server memory and crashing the Phoenix node. This results in termination of all active sessions and disruption of service availability.
Because the attack requires no authentication and session tokens can be freely obtained, it can be exploited by remote attackers to cause service outages without needing privileged access.
Systems using Phoenix LiveView apps with public LongPoll sockets or Phoenix.Socket with the longpoll option enabled are particularly at risk, as the long-poll transport is enabled by default in Phoenix projects since version 1.7.11.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves denial of service via unbounded memory allocation triggered by POST requests with Content-Type: application/x-ndjson to the long-poll transport endpoint in Phoenix framework. Detection can focus on monitoring for unusually large or suspicious POST requests to the long-poll endpoint, especially those with bodies containing excessive newline characters or large NDJSON payloads.
Network or system administrators can look for high memory usage or crashes of the BEAM (Erlang VM) node hosting the Phoenix application, which may indicate exploitation attempts.
Specific commands are not provided in the available resources, but general approaches include:
- Using network traffic inspection tools (e.g., tcpdump, Wireshark) to filter POST requests with Content-Type: application/x-ndjson to the Phoenix long-poll endpoint.
- Monitoring application logs for repeated POST requests with large or suspicious NDJSON bodies.
- Using system monitoring tools (e.g., top, htop) to detect abnormal BEAM memory or CPU usage spikes.
- Checking for node crashes or restarts in BEAM logs that correlate with incoming long-poll POST requests.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Phoenix framework to a patched version where the vulnerability is fixed. The vulnerability is patched in versions 1.7.22 and 1.8.6.
If upgrading immediately is not possible, a workaround is to disable the long-poll transport in the Phoenix.Socket configuration. This may prevent clients without WebSocket support from connecting but will mitigate the risk of this denial-of-service attack.
The patches include limiting the size of batched messages sent via long polling and safer handling of NDJSON bodies to prevent memory exhaustion.