Bandit WebSocket fragment reassembly has no size cap, enabling unauthenticated DoS
TL;DR - In bandit, WebSocket fragmented message reassembly appends Continuation{fin: false} frames into an iolist with no cumulative size cap. An unauthenticated client streams continuation frames without ever setting fin=1, growing heap until the OS or supervisor kills the process.
What happened
bandit is an Elixir HTTP server that also terminates WebSocket connections. CVE-2026-42786 is an unauthenticated remote denial-of-service via memory exhaustion in its WebSocket fragment reassembly path.
In 'Elixir.Bandit.WebSocket.Connection':handle_frame/3 (lib/bandit/websocket/connection.ex), each incoming Continuation{fin: false} frame payload is appended to a per-connection iolist. There is no cumulative size cap. Bandit's max_frame_size option only bounds individual frames, not the total size of a fragmented message. A peer can stream an unbounded sequence of continuation frames without ever setting fin=1, growing the process heap until the OS or a supervisor kills it.
The accumulation happens before WebSock.handle_in/2 is called, so application handler code never gets a chance to enforce its own limits. This is the classic "limits enforced at the wrong layer" failure mode. It shows up repeatedly in WebSocket stacks where fragmentation is reassembled before any policy checks run.
| Item | Detail |
|---|---|
| Affected component | bandit WebSocket reassembly (handle_frame/3) |
| Affected versions | >= 0.5.0 and < 1.11.0 |
| Fixed version | 1.11.0 |
| Severity | CVSS v4.0 8.7 (High), availability impact |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
Who is impacted
- Any service that accepts WebSocket connections via
banditversions>= 0.5.0and< 1.11.0. - Applications with no WebSocket endpoints are not reachable via this path.
What to do now
- Update
banditto1.11.0or later. This is the fix. Check yourmix.lock, container images, and deployed releases. - Inventory WebSocket exposure: identify which services terminate WebSocket connections on
bandit, and confirm versions across all environments. - Add compensating controls while rolling out the patch:
- Enforce connection limits and rate limits for WebSocket upgrade paths at the edge or load balancer.
- Monitor for clients sending long runs of continuation frames without
fin=1.
- If you suspect active abuse:
- Review logs for WebSocket connections with abnormal message fragmentation patterns.
- Treat any availability event on affected services as potentially attacker-driven until you can rule it out.
Additional Information
- GitHub Security Advisory:
https://github.com/mtrudel/bandit/security/advisories/GHSA-pf94-94m9-536p - Patch commit:
https://github.com/mtrudel/bandit/commit/21612c7c7b1ce43eccd36d3af3a2299d23513667
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.