CVE-2026-48594 - Vulnerability Details

Vendors	Products
Elixir-tesla	Tesla

Link	Providers
https://cna.erlef.org/cves/CVE-2026-48594.html
https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f
https://osv.dev/vulnerability/EEF-CVE-2026-48594

Type	Values Removed	Values Added
Description		Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.
Title		Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression
First Time appeared		Elixir-tesla Elixir-tesla tesla
Weaknesses		CWE-409
CPEs		cpe:2.3:a:elixir-tesla:tesla::::::::
Vendors & Products		Elixir-tesla Elixir-tesla tesla
References		https://cna.erlef.org/cves/CVE-2026-48594.html https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f https://osv.dev/vulnerability/EEF-CVE-2026-48594
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48594", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-05-22T09:36:56.834Z", "datePublished": "2026-06-02T19:08:49.596Z", "dateUpdated": "2026-06-02T19:12:25.393Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Tesla.Middleware.Compression'", "'Elixir.Tesla.Middleware.DecompressResponse'"], "packageName": "tesla", "packageURL": "pkg:hex/tesla", "product": "tesla", "programFiles": ["lib/tesla/middleware/compression.ex"], "programRoutines": [{"name": "'Elixir.Tesla.Middleware.DecompressResponse':call/3"}, {"name": "'Elixir.Tesla.Middleware.Compression':call/3"}], "repo": "https://github.com/elixir-tesla/tesla", "vendor": "elixir-tesla", "versions": [{"lessThan": "1.18.3", "status": "affected", "version": "0.6.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Tesla.Middleware.Compression'", "'Elixir.Tesla.Middleware.DecompressResponse'"], "packageName": "elixir-tesla/tesla", "packageURL": "pkg:github/elixir-tesla/tesla", "product": "tesla", "programFiles": ["lib/tesla/middleware/compression.ex"], "programRoutines": [{"name": "'Elixir.Tesla.Middleware.DecompressResponse':call/3"}, {"name": "'Elixir.Tesla.Middleware.Compression':call/3"}], "repo": "https://github.com/elixir-tesla/tesla.git", "vendor": "elixir-tesla", "versions": [{"lessThan": "340f75b5d191dc747ef7ac6365bd002d1cd55a9d", "status": "affected", "version": "5bd90bb5cf0d15e375edc2a66fa322292940fce2", "versionType": "git"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The application must include <tt>Tesla.Middleware.DecompressResponse</tt> or <tt>Tesla.Middleware.Compression</tt> in its Tesla middleware pipeline."}], "value": "The application must include Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression in its Tesla middleware pipeline."}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.18.3", "versionStartIncluding": "0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Yordis Prieto"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.<p>When <tt>Tesla.Middleware.DecompressResponse</tt> or <tt>Tesla.Middleware.Compression</tt> is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The <tt>decompress_body/2</tt> function in <tt>lib/tesla/middleware/compression.ex</tt> passes the entire response body to <tt>:zlib.gunzip/1</tt> or <tt>:zlib.unzip/1</tt> without any cap on the output size. Additionally, <tt>compression_algorithms/1</tt> splits the <tt>content-encoding</tt> header on commas and <tt>decompress_body/2</tt> recurses once per token, applying a decompression pass on each iteration. A server advertising <tt>content-encoding: gzip, gzip, gzip, gzip</tt> causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.</p><p>This issue affects tesla: from 0.6.0 before 1.18.3.</p>"}], "value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\n\nWhen Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\n\nThis issue affects tesla: from 0.6.0 before 1.18.3."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-06-02T19:12:25.393Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-48594.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48594"}, {"tags": ["patch"], "url": "https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d"}], "source": {"discovery": "EXTERNAL"}, "title": "Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression", "x_generator": {"engine": "cvelib 1.8.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.\n\nWhen Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.\n\nThis issue affects tesla: from 0.6.0 before 1.18.3."}], "id": "CVE-2026-48594", "lastModified": "2026-06-02T20:16:38.193", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-06-02T20:16:38.193", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-48594.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48594"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object