{"affected":[{"package":{"ecosystem":"Hex","name":"req","purl":"pkg:hex/req"},"ranges":[{"events":[{"introduced":"0.1.0"},{"fixed":"0.6.1"}],"type":"SEMVER"}],"versions":["0.1.0","0.1.1","0.1.2","0.2.0","0.2.1","0.2.2","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.3.10","0.3.11","0.3.12","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","0.4.10","0.4.11","0.4.12","0.4.13","0.4.14","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.5.7","0.5.8","0.5.9","0.5.10","0.5.11","0.5.12","0.5.13","0.5.14","0.5.15","0.5.16","0.5.17","0.5.18","0.6.0"]},{"ranges":[{"events":[{"introduced":"e37753741cbdc725e6aba3d977b380163bfc0ecb"},{"fixed":"84977e5b1a83f26e749d55ad06e3625464af4e8d"}],"repo":"https://github.com/wojtekmach/req.git","type":"GIT"}]}],"aliases":["GHSA-655f-mp8p-96gv","CVE-2026-49755"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Wojtek Mach","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen / EEF","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-197"],"cpe_ids":["cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-409"]},"details":"## Summary\n\nImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.\n\nReq's default response pipeline includes Req.Steps.decode\\_body/1 and Req.Steps.decompress\\_body/1 in lib/req/steps.ex. decode\\_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, \\[:memory\\]) for application/zip, :erl\\_tar.extract({:binary, body}, \\[:memory\\]) for application/x-tar, and :erl\\_tar.extract({:binary, body}, \\[:memory, :compressed\\]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a \\[{name, bytes}\\] list in memory, with no per-entry or total size cap. decompress\\_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.\n\nBoth steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.\n\nThis issue affects req: from 0.1.0 before 0.6.1.\n\n## Workaround\n\nDisable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing decode\\_body: false to Req.new/1 / Req.get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.","id":"EEF-CVE-2026-49755","modified":"2026-06-08T17:14:08.858Z","published":"2026-06-08T15:20:57.415Z","references":[{"type":"ADVISORY","url":"https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-49755.html"},{"type":"FIX","url":"https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d"},{"type":"PACKAGE","url":"https://hex.pm/packages/req"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies","upstream":[]}