GHSA-mc85-72gr-vm9f

Suggest an improvement
Source
https://github.com/advisories/GHSA-mc85-72gr-vm9f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-mc85-72gr-vm9f/GHSA-mc85-72gr-vm9f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mc85-72gr-vm9f
Aliases
Published
2026-07-10T00:03:23Z
Modified
2026-07-10T00:15:09.275629583Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Tesla has decompression bomb on response body
Details

Summary

Any Tesla client pipeline that includes Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression eagerly decompresses HTTP response bodies with no size limit. A server under attacker control (or reached via a redirect) can return a tiny gzip-encoded payload that expands into gigabytes of BEAM heap, crashing or freezing the calling process. Stacking multiple content-encoding tokens multiplies the amplification exponentially.

Details

decompress_body/2 in lib/tesla/middleware/compression.ex passes the full response body to :zlib.gunzip/1 or :zlib.unzip/1 with no cap on output size. The list of codec tokens comes from splitting the content-encoding header on commas, and decompress_body/2 recurses once per token. A response advertising content-encoding: gzip, gzip, gzip, gzip triggers four recursive decompression passes. Each gzip layer can expand its input roughly 1000x, so a 284-byte wire payload with four layers inflates to approximately 1 GB at the innermost pass, all materialised as a single binary in the caller's heap.

PoC

  1. Serve an HTTP response with content-encoding: gzip, gzip, gzip, gzip where the body is a 1 GB block of zeros compressed through four successive gzip passes.
  2. Send that response to a Tesla client whose pipeline includes Tesla.Middleware.DecompressResponse.
  3. decompress_body/2 recurses four times without any size check, materialising ~1 GB in the calling process's heap.
  4. Repeated or sufficiently large requests exhaust available memory and crash or freeze the node.

Impact

High severity (CVSS v4.0: 8.2). Any application using tesla 0.6.0 through 1.18.2 with Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its pipeline is vulnerable. The attacker only needs to control a server the client contacts, including via redirects. Fixed in tesla 1.18.3.

Configurations

The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline.

Resources

  • Introduction commit: https://github.com/elixir-tesla/tesla/commit/5bd90bb5cf0d15e375edc2a66fa322292940fce2
  • Patch commit: https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
Database specific
{
    "nvd_published_at": "2026-06-02T20:16:38Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-409"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T00:03:23Z"
}
References

Affected packages

Hex / tesla

Package

Name
tesla
Purl
pkg:hex/tesla

Affected ranges

Type
SEMVER
Events
Introduced
0.6.0
Fixed
1.18.3

Affected versions

0.*
0.6.0
0.7.0
0.7.1
0.7.2
0.8.0
0.9.0
0.10.0
1.*
1.0.0-beta.1
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.5.0
1.5.1
1.6.0
1.6.1
1.7.0
1.8.0
1.8.1
1.9.0
1.10.0
1.10.1
1.10.2
1.10.3
1.11.0
1.11.1
1.11.2
1.12.0
1.12.1
1.12.2
1.12.3
1.13.0
1.13.1
1.13.2
1.14.0
1.14.1
1.14.2
1.14.3
1.15.0
1.15.1
1.15.2
1.15.3
1.16.0
1.17.0
1.18.0
1.18.1
1.18.2

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/07/GHSA-mc85-72gr-vm9f/GHSA-mc85-72gr-vm9f.json"