CVE-2026-39804: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0.
AI Analysis
Technical Summary
The vulnerability in mtrudel bandit (CVE-2026-39804) involves allocation of resources without limits or throttling (CWE-770) in the WebSocket permessage-deflate compression implementation. Specifically, the function Elixir.Bandit.WebSocket.PerMessageDeflate.inflate/2 calls :zlib.inflate/2 without capping the decompressed output size. The decompressed payload is then fully materialized in memory, allowing an attacker to send a highly compressed frame that decompresses to a very large size, exhausting memory and causing an out-of-memory kill of the BEAM node. This attack requires that both the server's websocket_options.compress and the per-upgrade compress: true option are enabled. Stock Phoenix and LiveView applications are not vulnerable as they default to compress: false. The affected versions are bandit 0.5.9 up to but not including 1.11.0. There is no vendor advisory or patch link provided, and the remediation level is not specified.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a single specially crafted compressed WebSocket frame that decompresses to a very large size, leading to memory exhaustion and crashing the BEAM node running the bandit server. This disrupts availability of the affected service. There is no indication of code execution or data disclosure. The vulnerability requires specific compression options to be enabled, which are not enabled by default in common frameworks like Phoenix or LiveView.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, mitigate risk by disabling WebSocket permessage-deflate compression in bandit (i.e., ensure websocket_options.compress and per-upgrade compress: true options are not both enabled). Since stock Phoenix and LiveView applications default to compression disabled, they are not affected. Avoid enabling compression on untrusted WebSocket connections to prevent exploitation.
CVE-2026-39804: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in mtrudel bandit (CVE-2026-39804) involves allocation of resources without limits or throttling (CWE-770) in the WebSocket permessage-deflate compression implementation. Specifically, the function Elixir.Bandit.WebSocket.PerMessageDeflate.inflate/2 calls :zlib.inflate/2 without capping the decompressed output size. The decompressed payload is then fully materialized in memory, allowing an attacker to send a highly compressed frame that decompresses to a very large size, exhausting memory and causing an out-of-memory kill of the BEAM node. This attack requires that both the server's websocket_options.compress and the per-upgrade compress: true option are enabled. Stock Phoenix and LiveView applications are not vulnerable as they default to compress: false. The affected versions are bandit 0.5.9 up to but not including 1.11.0. There is no vendor advisory or patch link provided, and the remediation level is not specified.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by sending a single specially crafted compressed WebSocket frame that decompresses to a very large size, leading to memory exhaustion and crashing the BEAM node running the bandit server. This disrupts availability of the affected service. There is no indication of code execution or data disclosure. The vulnerability requires specific compression options to be enabled, which are not enabled by default in common frameworks like Phoenix or LiveView.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, mitigate risk by disabling WebSocket permessage-deflate compression in bandit (i.e., ensure websocket_options.compress and per-upgrade compress: true options are not both enabled). Since stock Phoenix and LiveView applications default to compression disabled, they are not affected. Avoid enabling compression on untrusted WebSocket connections to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-04-07T12:28:54.916Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f5124bcbff5d86105840d8
Added to database: 5/1/2026, 8:51:23 PM
Last enriched: 5/1/2026, 9:06:28 PM
Last updated: 5/2/2026, 5:49:56 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.