CVE-2026-49755
CVE-2026-49755 is a high-severity vulnerability with a CVSS 4.0 base score of 8.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-409.
Key facts
- Severity: High (CVSS 4.0 base score 8.2)
- EPSS exploit prediction: 0% (35th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-35098
- Weakness: CWE-409
- Published:
- Last modified:
Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.
Frequently asked questions
- What is CVE-2026-49755?
- Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.
- How severe is CVE-2026-49755?
- CVE-2026-49755 has a CVSS 4.0 base score of 8.2, rated high severity.
- Is CVE-2026-49755 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-49755?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-49755 have an EU (EUVD) identifier?
- Yes. CVE-2026-49755 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-35098.
- When was CVE-2026-49755 published?
- CVE-2026-49755 was published on 2026-06-08 and last updated on 2026-06-17.
References
- https://cna.erlef.org/cves/CVE-2026-49755.html
- https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d
- https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv
- https://osv.dev/vulnerability/EEF-CVE-2026-49755
Other CWE-409 vulnerabilities
- CVE-2026-53430 — High (CVSS 8.7): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc…
- CVE-2026-44697 — High (CVSS 8.6): Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated…
- CVE-2026-48594 — High (CVSS 8.2): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of…
- CVE-2026-43970 — High (CVSS 8.2): Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows…
- CVE-2026-24264 — High (CVSS 7.5): NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handling of…
- CVE-2026-48044 — High (CVSS 7.5): Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11,…