DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32689: CVE-2026-32689: Denial of Service in Phoenix Framework LongPoll Transport via NDJSON Payload Amplification

#security #cve #cybersecurity

CVE-2026-32689: Denial of Service in Phoenix Framework LongPoll Transport via NDJSON Payload Amplification

Vulnerability ID: CVE-2026-32689
CVSS Score: 8.7
Published: 2026-05-08

The Phoenix Framework contains a high-severity Denial of Service vulnerability in its LongPoll transport mechanism. The vulnerability is caused by unbounded memory allocation when processing Newline Delimited JSON (NDJSON) payloads. Unauthenticated attackers can trigger Out-Of-Memory conditions on the host BEAM node, terminating all active sessions by forcing the server to evaluate excessive newline characters.

TL;DR

Unauthenticated remote attackers can crash Phoenix Framework nodes by sending an 8MB NDJSON payload consisting entirely of newline characters to the LongPoll endpoint, triggering memory exhaustion via eager string evaluation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS Base Score: 8.7 (High)
  • EPSS Score: 0.00045
  • Impact: Denial of Service (Node Crash)
  • Exploit Status: Unexploited / PoC Only
  • CISA KEV: No

Affected Systems

  • Phoenix Framework (phoenix Hex package) < 1.7.22
  • Phoenix Framework (phoenix Hex package) 1.8.x < 1.8.6
  • Any Elixir application exposing Phoenix LiveView endpoints via LongPoll
  • Phoenix Framework: >= 1.7.0, < 1.7.22 (Fixed in: 1.7.22)
  • Phoenix Framework: >= 1.8.0, < 1.8.6 (Fixed in: 1.8.6)

Code Analysis

Commit: 1a67c61

Server-side fix to replace String.split with String.splitter for lazy parsing.

Replaces String.split/2 and Enum.map with String.splitter/2 and Enum.find
Enter fullscreen mode Exit fullscreen mode

Commit: 912ea18

Client-side fix to implement MAX_LONGPOLL_BATCH_SIZE in JavaScript.

Adds logic to split large longpoll message batches into chunks of 100
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Phoenix framework to patched versions (1.7.22 or 1.8.6).
  • Disable the LongPoll transport in Phoenix.Socket configurations if WebSocket connections are sufficient.
  • Implement network-level size restrictions or WAF rules to drop anomalous POST requests containing excessive application/x-ndjson payloads.

Remediation Steps:

  1. Identify the current version of the phoenix Hex package running in your application environments.
  2. Update the mix.exs dependencies to require at least ~> 1.7.22 or ~> 1.8.6.
  3. Run mix deps.get and mix deps.compile to fetch and compile the updated framework code.
  4. If patching is delayed, modify the endpoint module to set longpoll: false inside the socket declarations.

References

Read the full report for CVE-2026-32689 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)