DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48594: CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

Vulnerability ID: CVE-2026-48594
CVSS Score: 8.2
Published: 2026-07-10

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

TL;DR

Unrestricted decompression and recursive codec handling in Tesla's decompression middleware allow remote servers to trigger heap exhaustion and BEAM VM crashes via tiny, highly compressed response payloads.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-409
  • Attack Vector: Network
  • CVSS Score: 8.2 (High)
  • EPSS Score: 0.00329 (Percentile: 24.87%)
  • Impact: Denial of Service (OOM Crash)
  • Exploit Status: Theoretical / Patch Analysis
  • KEV Status: Not Listed

Affected Systems

  • Elixir Applications deploying Tesla client pipelines with DecompressResponse or Compression middleware active.
  • tesla: >= 0.6.0, < 1.18.3 (Fixed in: 1.18.3)

Code Analysis

Commit: 340f75b

Fix decompression vulnerability in Compression middleware by adding size limit check and restricting recursive decompression.

@@ -12,4 +12,14 @@
+    if count_known_codecs(codecs) > 1 do
+      raise Error, reason: :multiple_codecs
+    end
...
+  defp start_inflate(z, body, max_body_size) do
+    case :zlib.safeInflate(z, body) do
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Tesla dependency to 1.18.3 or higher.
  • Enforce mandatory :max_body_size limits in middleware options.
  • Avoid handling decompression of external data with unconstrained endpoints.
  • Deploy network-level HTTP header filtering to drop stacked Content-Encodings.

Remediation Steps:

  1. Open your project mix.exs file and locate the :tesla dependency.
  2. Update the version constraint to {:tesla, "~> 1.18.3"} or higher.
  3. Run mix deps.get to download and lock the updated version.
  4. Locate modules utilizing Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression.
  5. Append max_body_size: configuration parameter.
  6. Re-compile and run test suites to ensure integration compatibility.

References


Read the full report for CVE-2026-48594 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)