EEF-CVE-2026-39804

See a problem?
Please try reporting it to the source first.
Source
https://cna.erlef.org/osv/EEF-CVE-2026-39804.html
Import Source
https://cna.erlef.org/osv/EEF-CVE-2026-39804.json
JSON Data
https://api.osv.dev/v1/vulns/EEF-CVE-2026-39804
Aliases
  • CVE-2026-39804
  • GHSA-frh3-6pv6-rc8j
Published
2026-05-01T20:34:24.604Z
Modified
2026-05-02T04:17:35.717Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
WebSocket permessage-deflate inflate has no output-size cap in bandit
Details

Summary

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.

'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessagedeflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodatatobinary/1. The websocketoptions.maxframesize option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.

An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill.

This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.

This issue affects bandit: from 0.5.9 before 1.11.0.

Workaround

Do not pass compress: true to WebSockAdapter.upgrade/4. Omitting this option (or setting it to false) prevents permessage-deflate from being negotiated, so the inflate path is never reached.

Configuration

The vulnerability is only reachable when both of the following conditions are true: - Bandit's server-level websocket_options.compress is enabled (it defaults to true). - The per-upgrade compress: true option is passed to WebSockAdapter.upgrade/4 (it defaults to false; Phoenix's default is also false).

Stock Phoenix and LiveView applications are not affected because compress: false is their default.

Database specific 
{
    "cpe_ids": [
        "cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-130"
    ],
    "cwe_ids": [
        "CWE-770"
    ]
}
References
Credits
    • Peter Ullrich - FINDER

Affected packages

Hex / bandit

Package

Name
bandit
Purl
pkg:hex/bandit

Affected ranges

Type
SEMVER
Events
Introduced
0.5.9
Fixed
1.11.0

Affected versions

0.*
0.5.9
0.5.10
0.5.11
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
1.*
1.0.0-pre.1
1.0.0-pre.2
1.0.0-pre.3
1.0.0-pre.4
1.0.0-pre.5
1.0.0-pre.6
1.0.0-pre.7
1.0.0-pre.8
1.0.0-pre.9
1.0.0-pre.10
1.0.0-pre.11
1.0.0-pre.12
1.0.0-pre.13
1.0.0-pre.14
1.0.0-pre.15
1.0.0-pre.16
1.0.0-pre.17
1.0.0-pre.18
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.7.0
1.8.0
1.9.0
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-39804.json"

Git / github.com/mtrudel/bandit

Affected ranges

Type
GIT
Repo
https://github.com/mtrudel/bandit
Events
Introduced
da4027cff7d2b80319e76fe7a32f84beceec490a
Fixed
1.11.0

Database specific

source 
"https://cna.erlef.org/osv/EEF-CVE-2026-39804.json"