CVE-2026-39804: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g.uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0.
AI Analysis
Technical Summary
The vulnerability in mtrudel bandit (CVE-2026-39804) involves allocation of resources without limits or throttling (CWE-770) in the WebSocket permessage-deflate compression feature. Specifically, the function Elixir.Bandit.WebSocket.PerMessageDeflate.inflate/2 calls :zlib.inflate/2 without an output size cap and materializes the entire decompressed payload as a single binary. Although the websocket_options.max_frame_size limits the compressed frame size on the wire, it does not limit the decompressed output size. This allows an attacker to send a compressed frame with a high compression ratio that decompresses to a very large size, exhausting memory and causing an out-of-memory kill of the BEAM node. Exploitation requires both server-level websocket_options.compress and the per-upgrade compress: true option to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. The vulnerability affects bandit versions from 0.5.9 up to but not including 1.11.0.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by exhausting the memory of the BEAM node running bandit via a single specially crafted WebSocket frame. This can lead to an out-of-memory kill of the process, disrupting service availability. There is no indication of data disclosure or code execution impacts. The vulnerability requires specific compression options to be enabled, which are not enabled by default in common frameworks like Phoenix and LiveView.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is available, mitigate by disabling WebSocket permessage-deflate compression in bandit (i.e., ensure websocket_options.compress and compress: true are not both enabled). Since stock Phoenix and LiveView applications default to compress: false, they are not affected unless explicitly configured otherwise. Monitor vendor communications for updates on official fixes.
CVE-2026-39804: CWE-770 Allocation of Resources Without Limits or Throttling in mtrudel bandit
Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g.uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0.
CVSS v4.0
Score 8.2high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in mtrudel bandit (CVE-2026-39804) involves allocation of resources without limits or throttling (CWE-770) in the WebSocket permessage-deflate compression feature. Specifically, the function Elixir.Bandit.WebSocket.PerMessageDeflate.inflate/2 calls :zlib.inflate/2 without an output size cap and materializes the entire decompressed payload as a single binary. Although the websocket_options.max_frame_size limits the compressed frame size on the wire, it does not limit the decompressed output size. This allows an attacker to send a compressed frame with a high compression ratio that decompresses to a very large size, exhausting memory and causing an out-of-memory kill of the BEAM node. Exploitation requires both server-level websocket_options.compress and the per-upgrade compress: true option to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. The vulnerability affects bandit versions from 0.5.9 up to but not including 1.11.0.
Potential Impact
An unauthenticated remote attacker can cause a denial of service by exhausting the memory of the BEAM node running bandit via a single specially crafted WebSocket frame. This can lead to an out-of-memory kill of the process, disrupting service availability. There is no indication of data disclosure or code execution impacts. The vulnerability requires specific compression options to be enabled, which are not enabled by default in common frameworks like Phoenix and LiveView.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch or official fix is available, mitigate by disabling WebSocket permessage-deflate compression in bandit (i.e., ensure websocket_options.compress and compress: true are not both enabled). Since stock Phoenix and LiveView applications default to compress: false, they are not affected unless explicitly configured otherwise. Monitor vendor communications for updates on official fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-04-07T12:28:54.916Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f5124bcbff5d86105840d8
Added to database: 5/1/2026, 8:51:23 PM
Last enriched: 5/27/2026, 8:05:50 PM
Last updated: 6/16/2026, 4:30:17 AM
Views: 109
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.