Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

EEF-CVE-2026-48594

High CVSS: 8.2
Permalink JSON

Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression

Affected Packages Affected Versions Fixed Versions
hex:tesla >= 0.6.0, < 1.18.3 1.18.3
574 Dependent packages
1,212 Dependent repositories
71,937,402 Downloads total

Affected Version Ranges

All affected versions

0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.10.0, 1.0.0, 1.0.0-beta.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.18.2

All unaffected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.1, 0.2.2, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.5.0, 0.5.1, 0.5.2, 1.18.3, 1.20.0

Potentially Affected Packages

These packages share the same source repository and may be affected by this vulnerability, but are not listed in the advisory.

Package Ecosystem Latest Version Classification
github.com/elixir-tesla/tesla go Repackage

Summary

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.

When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.

This issue affects tesla: from 0.6.0 before 1.18.3.

Configuration

The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline.

References:

Identifiers

EEF-CVE-2026-48594

GHSA-mc85-72gr-vm9f

CVE-2026-48594

Risk

Severity

High

CVSS

CVSS Score: 8.2

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Source

Erlang Ecosystem Foundation

Origin

Erlef

Repository

https://github.com/elixir-tesla/tesla
View on Ecosyste.ms

Date and time

Published

13 days ago

Updated

12 days ago

API

JSON