Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-48594

Summary
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At-02 Jun, 2026 | 19:08
Updated At-04 Jun, 2026 | 04:45
Rejected At-
Credits

Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:EEF
Assigner Org ID:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:02 Jun, 2026 | 19:08
Updated At:04 Jun, 2026 | 04:45
Rejected At:
▼CVE Numbering Authority (CNA)
Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.

Affected Products
Vendor
elixir-tesla
Product
tesla
Collection URL
https://repo.hex.pm
Package Name
tesla
Repo
https://github.com/elixir-tesla/tesla
CPEs
  • cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Tesla.Middleware.Compression'
  • 'Elixir.Tesla.Middleware.DecompressResponse'
Program Files
  • lib/tesla/middleware/compression.ex
Program Routines
  • 'Elixir.Tesla.Middleware.DecompressResponse':call/3
  • 'Elixir.Tesla.Middleware.Compression':call/3
Default Status
unaffected
Versions
Affected
  • From 0.6.0 before 1.18.3 (semver)
Vendor
elixir-tesla
Product
tesla
Collection URL
https://github.com
Package Name
elixir-tesla/tesla
Repo
https://github.com/elixir-tesla/tesla.git
CPEs
  • cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Tesla.Middleware.Compression'
  • 'Elixir.Tesla.Middleware.DecompressResponse'
Program Files
  • lib/tesla/middleware/compression.ex
Program Routines
  • 'Elixir.Tesla.Middleware.DecompressResponse':call/3
  • 'Elixir.Tesla.Middleware.Compression':call/3
Default Status
unaffected
Versions
Affected
  • From 5bd90bb5cf0d15e375edc2a66fa322292940fce2 before 340f75b5d191dc747ef7ac6365bd002d1cd55a9d (git)
Problem Types
TypeCWE IDDescription
CWECWE-409CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Type: CWE
CWE ID: CWE-409
Description: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Metrics
VersionBase scoreBase severityVector
4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions

Configurations

The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline.

Workarounds

Exploits

Credits

finder
Peter Ullrich
remediation developer
Yordis Prieto
analyst
Jonatan Männchen
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-48594.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-48594
related
https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
patch
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-48594.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-48594
Resource:
related
Hyperlink: https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
exploit
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:02 Jun, 2026 | 20:16
Updated At:04 Jun, 2026 | 15:42

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-409Secondary6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CWE ID: CWE-409
Type: Secondary
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cna.erlef.org/cves/CVE-2026-48594.html6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://osv.dev/vulnerability/EEF-CVE-2026-485946b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://cna.erlef.org/cves/CVE-2026-48594.html
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-48594
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found

CVE-2026-48597
Matching Score-8
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-8
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.2||HIGH
EPSS-0.30% / 21.84%
||
7 Day CHG~0.00%
Published-02 Jun, 2026 | 19:08
Updated-04 Jun, 2026 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request — either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline — can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application. This issue affects tesla: from 1.3.0 before 1.18.3.

Action-Not Available
Vendor-elixir-tesla
Product-tesla
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-49755
Matching Score-4
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-4
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.2||HIGH
EPSS-0.44% / 35.15%
||
7 Day CHG~0.00%
Published-08 Jun, 2026 | 15:20
Updated-09 Jun, 2026 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.

Action-Not Available
Vendor-wojtekmach
Product-req
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CVE-2026-43970
Matching Score-4
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
ShareView Details
Matching Score-4
Assigner-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS Score-8.2||HIGH
EPSS-0.51% / 39.78%
||
7 Day CHG~0.00%
Published-13 May, 2026 | 18:43
Updated-15 May, 2026 | 04:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

Action-Not Available
Vendor-ninenines
Product-cowlib
CWE ID-CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
Details not found