GHSA-w6cq-9cf4-gqpgMediumCVSS 4.9

RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API

Published
June 30, 2026
Last Modified
June 30, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Responsibly disclosed by @NSEcho.

HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages.

Details

An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism.

A PoC was provided to Team RabbitMQ privately.

Impact

Denial of Service

🎯 Affected products2

  • erlang/rabbit_common:>= 3.12.0, < 3.12.7
  • erlang/rabbit_common:>= 3.11.0, < 3.11.24

🔗 References (5)