CVE-2026-39804
Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
01/05/2026
Última modificación:
05/05/2026
Descripción
*** Pendiente de traducción *** Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.<br />
<br />
&#39;Elixir.Bandit.WebSocket.PerMessageDeflate&#39;:inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.<br />
<br />
An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node&#39;s memory and trigger an OOM kill.<br />
<br />
This vulnerability requires both Bandit&#39;s server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.<br />
<br />
This issue affects bandit: from 0.5.9 before 1.11.0.
Impacto
Puntuación base 4.0
8.20
Gravedad 4.0
ALTA
Referencias a soluciones, herramientas e información
- https://cna.erlef.org/cves/CVE-2026-39804.html
- https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e
- https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j
- https://osv.dev/vulnerability/EEF-CVE-2026-39804
- https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j