EEF-CVE-2026-48594

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-48594.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-48594.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-48594

Aliases

CVE-2026-48594
GHSA-mc85-72gr-vm9f

Published

2026-06-02T19:08:49.596Z

Modified

2026-06-04T04:45:31.475Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression

Details

Summary

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.

When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompressbody/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compressionalgorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.

This issue affects tesla: from 0.6.0 before 1.18.3.

Configuration

The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
    ],
    "cwe_ids": [
        "CWE-409"
    ],
    "capec_ids": [
        "CAPEC-130"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- Yordis Prieto - REMEDIATION_DEVELOPER
- Jonatan Männchen - ANALYST

Affected packages

Hex / tesla

Package

Name: tesla
Purl: pkg:hex/tesla

Affected ranges

Type: SEMVER
Events: Introduced

0.6.0

Fixed

1.18.3

Affected versions

0.*

0.6.0

0.7.0

0.7.1

0.7.2

0.8.0

0.9.0

0.10.0

1.*

1.0.0-beta.1

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.6.0

1.6.1

1.7.0

1.8.0

1.8.1

1.9.0

1.10.0

1.10.1

1.10.2

1.10.3

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.12.2

1.12.3

1.13.0

1.13.1

1.13.2

1.14.0

1.14.1

1.14.2

1.14.3

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.17.0

1.18.0

1.18.1

1.18.2

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-48594.json"

Git / github.com/elixir-tesla/tesla.git

Affected ranges

Type: GIT
Repo: https://github.com/elixir-tesla/tesla.git
Events: Introduced

5bd90bb5cf0d15e375edc2a66fa322292940fce2

Fixed

340f75b5d191dc747ef7ac6365bd002d1cd55a9d

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-48594.json"