CVE-2026-49755
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
08/06/2026
Last modified:
08/06/2026
Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.<br />
<br />
Req&#39;s default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.<br />
<br />
Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req&#39;s automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.<br />
<br />
This issue affects req: from 0.1.0 before 0.6.1.
Impact
Base Score 4.0
8.20
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://cna.erlef.org/cves/CVE-2026-49755.html
- https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d
- https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv
- https://osv.dev/vulnerability/EEF-CVE-2026-49755
- https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv