CVE-2026-48594

HIGH EPSS 24.7%
Published Jun 2, 20264w ago · Modified Jun 17, 20262w ago
8.2 CVSS 4.0
High
Find Similar
Published Jun 2, 2026 4w ago
Last Modified Jun 17, 2026 2w ago

Description

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.

CVSS Details

Base Score
8.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
24.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-409

References 4

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-48594.html
  • github.com https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
  • github.com https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-48594

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.