EEF-CVE-2026-49755

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-49755.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-49755.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-49755

Aliases

CVE-2026-49755
GHSA-655f-mp8p-96gv

Published

2026-06-08T15:20:57.415Z

Modified

2026-06-08T18:00:03.770877120Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies

Details

Summary

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.

Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.

Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.

This issue affects req: from 0.1.0 before 0.6.1.

Workaround

Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing decode_body: false to Req.new/1 / Req.get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-197"
    ],
    "cwe_ids": [
        "CWE-409"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- Wojtek Mach - REMEDIATION_DEVELOPER
- Jonatan Männchen / EEF - ANALYST

Affected packages

Hex / req

Package

Name: req
Purl: pkg:hex/req

Affected ranges

Type: SEMVER
Events: Introduced

0.1.0

Fixed

0.6.1

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.2.0

0.2.1

0.2.2

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

0.3.11

0.3.12

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.4.10

0.4.11

0.4.12

0.4.13

0.4.14

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.5.13

0.5.14

0.5.15

0.5.16

0.5.17

0.5.18

0.6.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-49755.json"

Git / github.com/wojtekmach/req.git

Affected ranges

Type: GIT
Repo: https://github.com/wojtekmach/req.git
Events: Introduced

e37753741cbdc725e6aba3d977b380163bfc0ecb

Fixed

84977e5b1a83f26e749d55ad06e3625464af4e8d

Affected versions

v0.*

v0.1.0

v0.1.1

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v0.3.10

v0.3.11

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.10

v0.4.11

v0.4.12

v0.4.13

v0.4.14

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.5.0

v0.5.1

v0.5.10

v0.5.11

v0.5.12

v0.5.13

v0.5.14

v0.5.16

v0.5.17

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-49755.json"