CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client
Vulnerability ID: CVE-2026-48594
CVSS Score: 8.2
Published: 2026-07-10
An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.
TL;DR
Unrestricted decompression and recursive codec handling in Tesla's decompression middleware allow remote servers to trigger heap exhaustion and BEAM VM crashes via tiny, highly compressed response payloads.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-409
- Attack Vector: Network
- CVSS Score: 8.2 (High)
- EPSS Score: 0.00329 (Percentile: 24.87%)
- Impact: Denial of Service (OOM Crash)
- Exploit Status: Theoretical / Patch Analysis
- KEV Status: Not Listed
Affected Systems
- Elixir Applications deploying Tesla client pipelines with DecompressResponse or Compression middleware active.
-
tesla: >= 0.6.0, < 1.18.3 (Fixed in:
1.18.3)
Code Analysis
Commit: 340f75b
Fix decompression vulnerability in Compression middleware by adding size limit check and restricting recursive decompression.
@@ -12,4 +12,14 @@
+ if count_known_codecs(codecs) > 1 do
+ raise Error, reason: :multiple_codecs
+ end
...
+ defp start_inflate(z, body, max_body_size) do
+ case :zlib.safeInflate(z, body) do
Mitigation Strategies
- Upgrade Tesla dependency to 1.18.3 or higher.
- Enforce mandatory :max_body_size limits in middleware options.
- Avoid handling decompression of external data with unconstrained endpoints.
- Deploy network-level HTTP header filtering to drop stacked Content-Encodings.
Remediation Steps:
- Open your project mix.exs file and locate the :tesla dependency.
- Update the version constraint to {:tesla, "~> 1.18.3"} or higher.
- Run mix deps.get to download and lock the updated version.
- Locate modules utilizing Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression.
- Append max_body_size: configuration parameter.
- Re-compile and run test suites to ensure integration compatibility.
References
- GitHub Advisory GHSA-mc85-72gr-vm9f
- Official Fix Commit
- CVE-2026-48594 Record
- NVD CVE-2026-48594 Details
- EEF/CNA Advisory Portal
- OSV Entry for EEF-CVE-2026-48594
Read the full report for CVE-2026-48594 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)