`bandit`

Ecosystem:
hex

Package URL:
pkg:hex/bandit

Total PRs:
218 Dependabot PRs

Latest PR:
24 days ago

Unique Repositories:
100 repositories

Unique Repos (30 days):
9 repositories

Security Advisories

HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

EEF-CVE-2026-39806 GHSA-rf5q-vwxw-gmrf CVE-2026-39806 HIGH published 28 days ago • updated about 3 hours ago

## Summary Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service ...

WebSocket fragmented message reassembly unbounded in bandit

EEF-CVE-2026-42786 GHSA-pf94-94m9-536p CVE-2026-42786 HIGH published about 1 month ago • updated about 3 hours ago

## Summary Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service vi...

Bandit: Unauthenticated DoS via chunked request trailers in Bandit HTTP/1 decoder

GHSA-rf5q-vwxw-gmrf CVE-2026-39806 HIGH published 22 days ago • updated 2 days ago

### Summary A worker-pinning denial of service in Bandit's HTTP/1 chunked transfer decoder. Any unauthenticated client that sends a `Transfer-Encod...

Bandit: Unauthenticated one-shot DoS via `Transfer-Encoding: chunked`

GHSA-9q9q-324x-93r2 CVE-2026-39803 HIGH published 22 days ago • updated 2 days ago

### Summary Bandit's HTTP/1 chunked-body reader silently drops the request size cap that the application configures (e.g. `Plug.Parsers`' default ...

Bandit Buffers Unbounded WebSocket Continuation Frames, Allowing Unauthenticated Memory Exhaustion

GHSA-pf94-94m9-536p CVE-2026-42786 HIGH published about 1 month ago • updated 8 days ago

### Summary A single unauthenticated WebSocket client can exhaust server memory in any Bandit-fronted application that accepts WebSocket connection...

View all 14 advisories

Recent PRs (filtered by: Patch PRs )

RSS Feed Clear filter

Bump the minor-updates group with 3 updates

onnenon/receipts #5

1.11.0 → 1.11.1 Patch PR

Closed 24 days ago 1 comment

chore(deps): bump the prod-dependencies group with 7 updates

beam-bots/bb_example_so101 #17

1.11.0 → 1.11.1 Patch PR

Closed 24 days ago 1 comment

Bump the dev-dependencies group with 4 updates

ash-project/ash_storage #1

1.10.3 → 1.10.4 Patch PR

Closed 2 months ago 1 comment

Bump bandit from 1.10.2 to 1.10.4

tomasz-tomczyk/llm-welcome #27

1.10.2 → 1.10.4 Patch PR

Closed 2 months ago 1 comment

Bump the mix-production-dependencies group across 1 directory with 4 updates

grant-engelbrecht/AstroShop #36

1.10.2 → 1.10.3 Patch PR

Closed 3 months ago 1 comment

deps(deps-dev): bump bandit from 1.10.2 to 1.10.3

agentjido/req_llm #458

1.10.2 → 1.10.3 Patch PR

Open 4 months ago 1 comment

deps(elixir): bump the elixir-query-service group across 1 directory with 4 updates

all-source-os/all-source #68

1.10.2 → 1.10.3 Patch PR

Open 4 months ago 2 comments

Bump bandit from 1.10.2 to 1.10.3

dwyl/phoenix-liveview-counter-tutorial #300

1.10.2 → 1.10.3 Patch PR

Closed 4 months ago 1 comment

Bump the production-dependencies group across 1 directory with 3 updates

ringvold/get5_api #199

1.10.2 → 1.10.3 Patch PR

Closed 4 months ago 1 comment

chore(deps-dev): bump the dev-dependencies group with 6 updates

ash-project/ash_typescript #43

1.10.1 → 1.10.2 Patch PR

Open 4 months ago 2 comments

build(deps): bump bandit from 1.10.0 to 1.10.2

watsy0007/stealth #12

1.10.0 → 1.10.2 Patch PR

Closed 5 months ago 1 comment

Bump the production-dependencies group across 1 directory with 19 updates

txssu/cen #58

1.6.4 → 1.6.11 Patch PR

Closed about 1 year ago 2 comments

Bump the production-dependencies group across 1 directory with 18 updates

txssu/cen #56

1.6.4 → 1.6.11 Patch PR

Open about 1 year ago 1 comment

Bump the dependencies group across 1 directory with 7 updates

blunderfest/blunderfest #49

1.6.7 → 1.6.11 Patch PR

Merged about 1 year ago

build(deps): bump bandit from 1.6.8 to 1.6.11

mbta/ride_along #162

1.6.8 → 1.6.11 Patch PR

Closed about 1 year ago 1 comment

Bump bandit from 1.6.9 to 1.6.11

jehrhardt/cozyauth #287

1.6.9 → 1.6.11 Patch PR

Closed about 1 year ago 1 comment

Bump bandit from 1.6.4 to 1.6.11

redgreat/me #29

1.6.4 → 1.6.11 Patch PR

Merged about 1 year ago

Bump bandit from 1.6.10 to 1.6.11 in /lux

Spectral-Finance/lux #246

1.6.10 → 1.6.11 Patch PR

Closed about 1 year ago 1 comment

build(hex): bump bandit from 1.6.8 to 1.6.11

collava/base_ash_template #62

1.6.8 → 1.6.11 Patch PR

Closed about 1 year ago 2 comments

Bump bandit from 1.6.10 to 1.6.11 in /lux_app

Spectral-Finance/lux #244

1.6.10 → 1.6.11 Patch PR

Closed about 1 year ago 1 comment

deps(deps-dev): bump bandit from 1.6.9 to 1.6.11

vloothuis/auth_toolkit #39

1.6.9 → 1.6.11 Patch PR

Closed about 1 year ago 1 comment

Bump the production-dependencies group across 1 directory with 16 updates

ringvold/get5_api #176

1.6.2 → 1.6.10 Patch PR

Open about 1 year ago 2 comments

Bump bandit from 1.6.7 to 1.6.8

thomis/exdemo #29

1.6.7 → 1.6.8 Patch PR

Closed over 1 year ago

Bump the production-dependencies group across 1 directory with 15 updates

txssu/cen #55

1.6.4 → 1.6.7 Patch PR

Open over 1 year ago 2 comments

Package Details

Name:	`bandit`
Ecosystem:	hex
PURL Type:	hex
Package URL:	`pkg:hex/bandit`
JSON API:	View JSON

Security Advisories

14

Active advisories

HIGH 8

MODERATE 3

View All hex Advisories

Package Information

Description:

A pure-Elixir HTTP server built for Plug & WebSock apps

Repository:	https://github.com/mtrudel/bandit
Latest Release:	`1.7.0` about 1 year ago
Dependent Repos:	67
Dependent Packages:	28
Downloads:	5,396,079
Ranking:	Top 2.0086% by dependent repos Top 7.5656% by downloads Top 3.3074% by dependent pkgs

PR Status

Open 75 (34.4%)

Merged 34 (15.6%)

Closed 89 (40.8%)

PR Types

Minor 174 (79.8%)

Patch 24 (11.0%)