CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion
Vulnerability ID: CVE-2026-39804
CVSS Score: 8.2
Published: 2026-05-07
CVE-2026-39804 is a critical resource exhaustion vulnerability (CWE-770) affecting the Bandit Elixir HTTP server. By exploiting unbounded DEFLATE decompression in WebSocket frames, an unauthenticated attacker can crash the Erlang VM (BEAM) via a highly compressed decompression bomb.
TL;DR
Unauthenticated remote attackers can trigger a Denial of Service (OOM crash) in the Bandit web server by sending a highly compressed WebSocket frame, exhausting BEAM memory if permessage-deflate is enabled.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network (Remote)
- CVSS v4.0 Score: 8.2 (High)
- EPSS Score: 0.0004 (11.83%)
- Exploit Status: Proof-of-Concept Available
- Impact: Denial of Service (Node Crash)
Affected Systems
- Bandit HTTP Server (mtrudel/bandit)
-
bandit: >= 0.5.9, < 1.11.0 (Fixed in:
1.11.0)
Code Analysis
Commit: 8156921
Fix resource exhaustion in permessage-deflate via chunked decompression and ratio limits
Exploit Details
- Test Suite PoC: The protocol_test.exs suite in the fix commit demonstrates the decompression bomb construction.
Mitigation Strategies
- Upgrade Bandit server to version 1.11.0 or newer.
- Disable
permessage-deflatecompression globally by settingcompress: falsein the WebSocket adapter configuration.
Remediation Steps:
- Update the
mix.exsdependencies to require{:bandit, ">= 1.11.0"}. - Run
mix deps.getandmix deps.compileto fetch and build the patched version. - If patching is impossible, review calls to
WebSockAdapter.upgrade/4and remove anycompress: trueoptions. - Deploy the updated application and restart the BEAM node.
- Verify the remediation by monitoring application memory metrics when under WebSocket load.
References
Read the full report for CVE-2026-39804 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)