CVE-2026-49755: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) in wojtekmach req
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.
AI Analysis
Technical Summary
The vulnerability in wojtekmach req (CVE-2026-49755) stems from the default response processing steps decode_body/1 and decompress_body/1, which handle compressed HTTP response bodies. decode_body/1 uses Erlang functions to extract compressed archives (zip, tar, gzip) fully into memory without size caps, while decompress_body/1 chains multiple decompression layers based on content-encoding headers without bounding the inflation. Because attackers control content-type and content-encoding headers, they can craft responses that decompress to extremely large sizes, causing memory exhaustion and crashing the BEAM process. This affects req versions from 0.1.0 up to but not including 0.6.1.
Potential Impact
An attacker controlling an HTTP server or any server reached via automatic redirects can send a maliciously crafted compressed response that decompresses to a very large size, exhausting memory on the client running the req library. This leads to denial of service by crashing the BEAM process hosting the client application. The vulnerability does not require privileges or user interaction and can be triggered remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is indicated in the provided data. Until a patch is available, users should consider disabling automatic decompression of response bodies or implement size limits on decompressed data if possible. Monitoring vendor communications for updates is recommended.
CVE-2026-49755: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) in wojtekmach req
Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.
CVSS v4.0
Score 8.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in wojtekmach req (CVE-2026-49755) stems from the default response processing steps decode_body/1 and decompress_body/1, which handle compressed HTTP response bodies. decode_body/1 uses Erlang functions to extract compressed archives (zip, tar, gzip) fully into memory without size caps, while decompress_body/1 chains multiple decompression layers based on content-encoding headers without bounding the inflation. Because attackers control content-type and content-encoding headers, they can craft responses that decompress to extremely large sizes, causing memory exhaustion and crashing the BEAM process. This affects req versions from 0.1.0 up to but not including 0.6.1.
Potential Impact
An attacker controlling an HTTP server or any server reached via automatic redirects can send a maliciously crafted compressed response that decompresses to a very large size, exhausting memory on the client running the req library. This leads to denial of service by crashing the BEAM process hosting the client application. The vulnerability does not require privileges or user interaction and can be triggered remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is indicated in the provided data. Until a patch is available, users should consider disabling automatic decompression of response bodies or implement size limits on decompressed data if possible. Monitoring vendor communications for updates is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-06-01T13:45:22.448Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a26e46de29bf47b501e531c
Added to database: 6/8/2026, 3:49:01 PM
Last enriched: 6/8/2026, 4:03:28 PM
Last updated: 6/8/2026, 5:23:27 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.