CVE-2026-49755

Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-409 — CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

CAPEC

• CAPEC-197 — CAPEC-197 Exponential Data Expansion

CVSS 4.0 Score

8.2

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability description

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.

Req's default response pipeline includes 'Elixir.Req.Steps':decode_body/1 and 'Elixir.Req.Steps':decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.

Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.

This issue affects req: from 0.1.0 before 0.6.1.

Affected

pkg:hex/req

Module	Source File	Routine
Req.Steps	lib/req/steps.ex	Req.Steps.decode_body/1
		Req.Steps.decompress_body/1

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	0.1.0	< 0.6.1

pkg:github/wojtekmach/req

Module	Source File	Routine
Req.Steps	lib/req/steps.ex	Req.Steps.decode_body/1
		Req.Steps.decompress_body/1

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	e37753741c	< 84977e5b1a

Workarounds

Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing decode_body: false to 'Elixir.Req':new/1 / 'Elixir.Req':get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.

References

• https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-49755 related
• https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Wojtek Mach
• Analyst: Jonatan Männchen / EEF

CVE record as JSON:  GET /cves/CVE-2026-49755.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-49755.json