CVE-2026-48594: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) in elixir-tesla tesla
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.
AI Analysis
Technical Summary
The elixir-tesla tesla library versions from 0.6.0 before 1.18.3 contain a CWE-409 vulnerability due to improper handling of highly compressed data in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is used, the decompress_body/2 function passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any output size limit. Additionally, the function recursively decompresses each token in the content-encoding header, which can lead to exponential amplification if multiple gzip layers are present. For example, a server sending a content-encoding header with multiple gzip entries can cause the decompressed data to expand by roughly 1000x per layer, resulting in gigabytes of memory usage that exhausts the BEAM heap and causes denial of service.
Potential Impact
This vulnerability allows an attacker to cause a denial of service by sending HTTP responses with multiple layers of gzip compression, which the tesla library decompresses recursively without size limits. This leads to exponential memory amplification, exhausting the memory of the process and causing it to crash or freeze. There is no indication of remote code execution or data disclosure from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is documented in the provided data. Until a patch is available, users should avoid using Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression with untrusted HTTP responses or implement external safeguards to limit decompression size. Monitor vendor communications for updates regarding an official fix.
CVE-2026-48594: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) in elixir-tesla tesla
Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.
CVSS v4.0
Score 8.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The elixir-tesla tesla library versions from 0.6.0 before 1.18.3 contain a CWE-409 vulnerability due to improper handling of highly compressed data in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is used, the decompress_body/2 function passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any output size limit. Additionally, the function recursively decompresses each token in the content-encoding header, which can lead to exponential amplification if multiple gzip layers are present. For example, a server sending a content-encoding header with multiple gzip entries can cause the decompressed data to expand by roughly 1000x per layer, resulting in gigabytes of memory usage that exhausts the BEAM heap and causes denial of service.
Potential Impact
This vulnerability allows an attacker to cause a denial of service by sending HTTP responses with multiple layers of gzip compression, which the tesla library decompresses recursively without size limits. This leads to exponential memory amplification, exhausting the memory of the process and causing it to crash or freeze. There is no indication of remote code execution or data disclosure from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is documented in the provided data. Until a patch is available, users should avoid using Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression with untrusted HTTP responses or implement external safeguards to limit decompression size. Monitor vendor communications for updates regarding an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-22T09:36:56.834Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1f3494e29bf47b50fa252b
Added to database: 6/2/2026, 7:52:52 PM
Last enriched: 6/2/2026, 8:03:44 PM
Last updated: 6/3/2026, 5:03:12 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.