{"affected":[{"package":{"ecosystem":"Hex","name":"tesla","purl":"pkg:hex/tesla"},"ranges":[{"events":[{"introduced":"0.6.0"},{"fixed":"1.18.3"}],"type":"SEMVER"}],"versions":["0.6.0","0.7.0","0.7.1","0.7.2","0.8.0","0.9.0","0.10.0","1.0.0-beta.1","1.0.0","1.1.0","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.5.1","1.6.0","1.6.1","1.7.0","1.8.0","1.8.1","1.9.0","1.10.0","1.10.1","1.10.2","1.10.3","1.11.0","1.11.1","1.11.2","1.12.0","1.12.1","1.12.2","1.12.3","1.13.0","1.13.1","1.13.2","1.14.0","1.14.1","1.14.2","1.14.3","1.15.0","1.15.1","1.15.2","1.15.3","1.16.0","1.17.0","1.18.0","1.18.1","1.18.2"]},{"ranges":[{"events":[{"introduced":"5bd90bb5cf0d15e375edc2a66fa322292940fce2"},{"fixed":"340f75b5d191dc747ef7ac6365bd002d1cd55a9d"}],"repo":"https://github.com/elixir-tesla/tesla.git","type":"GIT"}]}],"aliases":["GHSA-mc85-72gr-vm9f","CVE-2026-48594"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Yordis Prieto","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-130"],"cpe_ids":["cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-409"]},"details":"## Summary\n\nImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\n\nWhen Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\n\nThis issue affects tesla: from 0.6.0 before 1.18.3.\n\n## Configuration\n\nThe application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline.","id":"EEF-CVE-2026-48594","modified":"2026-06-02T19:12:25.393Z","published":"2026-06-02T19:08:49.596Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-48594.html"},{"type":"FIX","url":"https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d"},{"type":"PACKAGE","url":"https://hex.pm/packages/tesla"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression","upstream":[]}