CVE-2026-49755
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.
Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.
Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.
This issue affects req: from 0.1.0 before 0.6.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| wojtekmach | req | 0.1.0 < 0.6.1 | affected |
| wojtekmach | req | e37753741cbdc725e6aba3d977b380163bfc0ecb < 84977e5b1a83f26e749d55ad06e3625464af4e8d | affected |
Weaknesses
- CWE-409: CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)
Workarounds
Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing decode_body: false to Req.new/1 / Req.get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv
- https://cna.erlef.org/cves/CVE-2026-49755.html
- https://osv.dev/vulnerability/EEF-CVE-2026-49755
- https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.