{"uuid":"EEF-CVE-2026-48594","url":"https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f","title":"Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression","description":"## Summary\n\nImproper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\n\nWhen Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress\\_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression\\_algorithms/1 splits the content-encoding header on commas and decompress\\_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\n\nThis issue affects tesla: from 0.6.0 before 1.18.3.\n\n## Configuration\n\nThe application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline.","origin":"ERLEF","severity":"HIGH","published_at":"2026-06-02T19:08:49.596Z","withdrawn_at":null,"classification":null,"cvss_score":8.2,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","references":["https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f","https://cna.erlef.org/cves/CVE-2026-48594.html","https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d","https://hex.pm/packages/tesla"],"source_kind":"erlef","identifiers":["EEF-CVE-2026-48594","GHSA-mc85-72gr-vm9f","CVE-2026-48594"],"repository_url":"https://github.com/elixir-tesla/tesla","blast_radius":25.28472148260819,"created_at":"2026-06-02T19:19:28.007Z","updated_at":"2026-06-16T03:18:22.201Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-48594","html_url":"https://advisories.ecosyste.ms/advisories/EEF-CVE-2026-48594","packages":[{"ecosystem":"hex","package_name":"tesla","versions":[{"first_patched_version":"1.18.3","vulnerable_version_range":"\u003e= 0.6.0, \u003c 1.18.3"}],"purl":null,"statistics":{"dependent_packages_count":574,"dependent_repos_count":1212,"downloads":71937402,"downloads_period":"total"},"affected_versions":["0.6.0","0.7.0","0.7.1","0.7.2","0.8.0","0.9.0","0.10.0","1.0.0","1.0.0-beta.1","1.1.0","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.5.1","1.6.0","1.6.1","1.7.0","1.8.0","1.8.1","1.9.0","1.10.0","1.10.1","1.10.2","1.10.3","1.11.0","1.11.1","1.11.2","1.12.0","1.12.1","1.12.2","1.12.3","1.13.0","1.13.1","1.13.2","1.14.0","1.14.1","1.14.2","1.14.3","1.15.0","1.15.1","1.15.2","1.15.3","1.16.0","1.17.0","1.18.0","1.18.1","1.18.2"],"unaffected_versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.2.1","0.2.2","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.5.0","0.5.1","0.5.2","1.18.3","1.20.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/EEF-CVE-2026-48594/related_packages","related_advisories":[]}