Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-48594
PUBLISHED
More InfoOfficial Page
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
View Known Exploited Vulnerability (KEV) details
Published At-02 Jun, 2026 | 19:08
Updated At-04 Jun, 2026 | 04:45
Rejected At-
▼CVE Numbering Authority (CNA)
Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.

Affected Products
Vendor
elixir-tesla
Product
tesla
Collection URL
https://repo.hex.pm
Package Name
tesla
Repo
https://github.com/elixir-tesla/tesla
CPEs
  • cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Tesla.Middleware.Compression'
  • 'Elixir.Tesla.Middleware.DecompressResponse'
Program Files
  • lib/tesla/middleware/compression.ex
Program Routines
  • 'Elixir.Tesla.Middleware.DecompressResponse':call/3
  • 'Elixir.Tesla.Middleware.Compression':call/3
Default Status
unaffected
Versions
Affected
  • From 0.6.0 before 1.18.3 (semver)
Vendor
elixir-tesla
Product
tesla
Collection URL
https://github.com
Package Name
elixir-tesla/tesla
Repo
https://github.com/elixir-tesla/tesla.git
CPEs
  • cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Tesla.Middleware.Compression'
  • 'Elixir.Tesla.Middleware.DecompressResponse'
Program Files
  • lib/tesla/middleware/compression.ex
Program Routines
  • 'Elixir.Tesla.Middleware.DecompressResponse':call/3
  • 'Elixir.Tesla.Middleware.Compression':call/3
Default Status
unaffected
Versions
Affected
  • From 5bd90bb5cf0d15e375edc2a66fa322292940fce2 before 340f75b5d191dc747ef7ac6365bd002d1cd55a9d (git)
Problem Types
TypeCWE IDDescription
CWECWE-409CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Type: CWE
CWE ID: CWE-409
Description: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Metrics
VersionBase scoreBase severityVector
4.08.2HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-130CAPEC-130 Excessive Allocation
CAPEC ID: CAPEC-130
Description: CAPEC-130 Excessive Allocation
Solutions

Configurations

The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline.

Workarounds

Exploits

Credits

finder
Peter Ullrich
remediation developer
Yordis Prieto
analyst
Jonatan Männchen
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-48594.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-48594
related
https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
patch
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-48594.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-48594
Resource:
related
Hyperlink: https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
exploit
Hyperlink: https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
Resource:
exploit
Details not found