{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-49755","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-08T16:49:57.977214Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-08T16:50:03.277Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://repo.hex.pm","cpes":["cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Req.Steps'"],"packageName":"req","packageURL":"pkg:hex/req","product":"req","programFiles":["lib/req/steps.ex"],"programRoutines":[{"name":"'Elixir.Req.Steps':decode_body/1"},{"name":"'Elixir.Req.Steps':decompress_body/1"}],"repo":"https://github.com/wojtekmach/req","vendor":"wojtekmach","versions":[{"lessThan":"0.6.1","status":"affected","version":"0.1.0","versionType":"semver"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","modules":["'Elixir.Req.Steps'"],"packageName":"wojtekmach/req","packageURL":"pkg:github/wojtekmach/req","product":"req","programFiles":["lib/req/steps.ex"],"programRoutines":[{"name":"'Elixir.Req.Steps':decode_body/1"},{"name":"'Elixir.Req.Steps':decompress_body/1"}],"repo":"https://github.com/wojtekmach/req.git","vendor":"wojtekmach","versions":[{"lessThan":"84977e5b1a83f26e749d55ad06e3625464af4e8d","status":"affected","version":"e37753741cbdc725e6aba3d977b380163bfc0ecb","versionType":"git"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*","versionEndExcluding":"0.6.1","versionStartIncluding":"0.1.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"Peter Ullrich"},{"lang":"en","type":"remediation developer","value":"Wojtek Mach"},{"lang":"en","type":"analyst","value":"Jonatan Männchen / EEF"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.<p>Req's default response pipeline includes <tt>'Elixir.Req.Steps':decode_body/1</tt> and <tt>'Elixir.Req.Steps':decompress_body/1</tt> in <tt>lib/req/steps.ex</tt>. <tt>decode_body/1</tt> dispatches on the server-supplied <tt>content-type</tt> (or URL extension) and calls <tt>:zip.extract(body, [:memory])</tt> for <tt>application/zip</tt>, <tt>:erl_tar.extract({:binary, body}, [:memory])</tt> for <tt>application/x-tar</tt>, and <tt>:erl_tar.extract({:binary, body}, [:memory, :compressed])</tt> for <tt>application/gzip</tt> / <tt>.tgz</tt>. Each returns the full decompressed archive contents as a <tt>[{name, bytes}]</tt> list in memory, with no per-entry or total size cap. <tt>decompress_body/1</tt> walks the <tt>content-encoding</tt> header and chains <tt>:zlib</tt>/<tt>:brotli</tt>/<tt>:ezstd</tt> decoders, so a response advertising <tt>content-encoding: gzip, gzip, gzip</tt> inflates through multiple layers without bound.</p><p>Both steps are enabled by default, no caller opt-in is required, and the attacker controls the <tt>content-type</tt> and <tt>content-encoding</tt> headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.</p><p>This issue affects req: from 0.1.0 before 0.6.1.</p>"}],"value":"Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.\n\nReq's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.\n\nBoth steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.\n\nThis issue affects req: from 0.1.0 before 0.6.1."}],"impacts":[{"capecId":"CAPEC-197","descriptions":[{"lang":"en","value":"CAPEC-197 Exponential Data Expansion"}]}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":8.2,"baseSeverity":"HIGH","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-409","description":"CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-08T17:14:08.858Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-49755.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-49755"},{"tags":["patch"],"url":"https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d"}],"source":{"discovery":"EXTERNAL"},"title":"Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing <tt>decode_body: false</tt> to <tt>'Elixir.Req':new/1</tt> / <tt>'Elixir.Req':get!/1</tt>. To also skip the <tt>content-encoding</tt> decompression pipeline, pass <tt>raw: true</tt>. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.</p>"}],"value":"Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing decode_body: false to Req.new/1 / Req.get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression."}],"x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-49755","datePublished":"2026-06-08T15:20:57.415Z","dateReserved":"2026-06-01T13:45:22.448Z","dateUpdated":"2026-06-08T17:14:08.858Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}