CVE-2026-56812
Received Received - Intake

Denial of Service in Phoenix JavaScript Presence Client

Vulnerability report for CVE-2026-56812, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: EEF

Description

Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic. This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff. The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError. The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution). This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
phoenixframework phoenix From 1.2.0 (inc) to 1.5.15 (exc)
phoenixframework phoenix From 1.6.0 (inc) to 1.6.17 (exc)
phoenixframework phoenix From 1.7.0 (inc) to 1.7.24 (exc)
phoenixframework phoenix From 1.8.0 (inc) to 1.8.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56812 is a vulnerability in the Phoenix JavaScript presence client where presence keys that collide with JavaScript Object.prototype member names (such as __proto__, constructor, or toString) cause improper existence checks. The code uses a bare truthiness test (state[key]) instead of checking if the property is an own property, so when an attacker supplies a key matching a prototype member, the lookup returns the built-in Object.prototype object, which is truthy.

This causes the code to attempt to access .metas.map(...) on Object.prototype, throwing an uncaught TypeError. This exception prevents the local presence state from updating and the onSync() callback from firing, resulting in a persistent client-side denial of service for all viewers of the affected presence channel topic until the attacker leaves.

The vulnerability affects Phoenix framework versions from 1.2.0 before 1.5.15, 1.6.0 before 1.6.17, 1.7.0 before 1.7.24, and 1.8.0 before 1.8.9.

Impact Analysis

This vulnerability can cause a persistent client-side denial of service (DoS) for every viewer of a presence channel topic in applications using the Phoenix JavaScript presence client.

An attacker with ordinary channel access can supply a malicious presence key that triggers an uncaught TypeError in the presence synchronization code, breaking the presence sync for all viewers of that channel topic.

The denial of service persists because the malicious key is tracked server-side and re-pushed on every presence update, continuously causing the error until the attacker leaves the channel.

The impact is limited to the affected topic and does not involve prototype pollution or mutation of the Object prototype.

Detection Guidance

This vulnerability manifests as a persistent client-side denial of service in the Phoenix JavaScript presence client when presence keys collide with JavaScript Object.prototype member names such as __proto__, constructor, or toString.

Detection involves monitoring presence channel topics for errors related to uncaught TypeErrors thrown from presence synchronization routines (Presence.syncState and Presence.syncDiff). Specifically, look for exceptions caused by attempts to access .metas.map(...) on prototype objects.

Since the issue arises from attacker-controlled presence keys, detection can include inspecting presence keys used in your application for any that match Object.prototype member names.

  • Check application logs or browser console logs for uncaught TypeErrors related to presence synchronization.
  • Use network monitoring tools to capture WebSocket or channel traffic and filter for presence keys with suspicious values like '__proto__', 'constructor', or 'toString'.
  • Run JavaScript debugging commands in the browser console to inspect presence state objects, for example:
  • 1. Inspect the presence state object: `console.log(Presence.state)`
  • 2. Check for presence keys that are Object.prototype members: `Object.keys(Presence.state).filter(key => ['__proto__', 'constructor', 'toString', 'hasOwnProperty'].includes(key))`
  • 3. Monitor for repeated presence updates that cause exceptions.
Mitigation Strategies

Immediate mitigation steps include preventing attacker-controlled presence keys from colliding with Object.prototype member names.

  • Reject or sanitize presence keys before calling Phoenix.Presence.track to ensure they do not match any Object.prototype property names such as '__proto__', 'constructor', or 'toString'.
  • Namespace presence keys to avoid collisions with prototype properties.
  • Derive presence keys from server-controlled, validated values instead of raw user input.

Additionally, upgrade the Phoenix framework to a fixed version where the presence state object is created with Object.create(null) and proper own-property checks are used in Presence.syncState and Presence.syncDiff methods. Fixed versions include Phoenix 1.5.15, 1.6.17, 1.7.24, and 1.8.9 or later.

Compliance Impact

The vulnerability causes a persistent client-side denial of service for all viewers of an affected presence channel topic by exploiting improper checks on presence keys. While it disrupts availability of presence information, it does not involve unauthorized data access, data modification, or data leakage.

Because the issue is limited to denial of service on presence synchronization and does not lead to data breaches or unauthorized data exposure, its direct impact on compliance with data protection regulations such as GDPR or HIPAA is limited.

However, denial of service incidents can affect system availability, which is a component of many security frameworks and standards. Organizations relying on Phoenix Presence for critical real-time collaboration or communication features may need to consider this vulnerability in their risk assessments and incident response plans to maintain compliance with availability requirements.

Mitigations such as sanitizing presence keys or deriving them from server-controlled values help reduce the risk of denial of service and support compliance with security best practices.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart