CVE-2026-39804
Deferred Deferred - Pending Action
Allocation of Resources Without Limits or Throttling in Bandit WebSocket

Publication date: 2026-05-01

Last updated on: 2026-05-05

Assigner: EEF

Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39804
EUVD
EUVD-2026-26711
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mtrudel bandit From 0.5.9 (inc) to 1.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is an Allocation of Resources Without Limits or Throttling issue in the mtrudel bandit library. It occurs when WebSocket permessage-deflate compression is enabled. Specifically, the function responsible for decompressing WebSocket frames does not limit the size of the decompressed output, allowing an attacker to send a highly compressed frame that decompresses into a very large payload.

Because the decompression process materializes the entire decompressed payload in memory without size restrictions, an unauthenticated attacker who can open a WebSocket connection can send a single malicious frame that exhausts the server's memory, causing a denial of service by triggering an out-of-memory (OOM) kill.

This vulnerability requires both server-level compression options and per-connection compression to be enabled. Default Phoenix and LiveView applications are not affected because they disable this compression by default.

Impact Analysis

The primary impact of this vulnerability is a remote denial of service (DoS). An attacker can exhaust the server's memory by sending a specially crafted compressed WebSocket frame, causing the server process to be killed due to out-of-memory conditions.

This can lead to service unavailability, disruption of normal operations, and potential downtime until the server is restarted or recovered.

Mitigation Strategies

To mitigate this vulnerability, ensure that both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 are not enabled simultaneously.

Since stock Phoenix and LiveView applications default to compress: false, using these defaults can help avoid exposure.

Additionally, upgrading bandit to version 1.11.0 or later will resolve this issue.

Detection Guidance

Detection of this vulnerability involves identifying if the Bandit server is running a vulnerable version (0.5.9 to before 1.11.0) with WebSocket permessage-deflate compression enabled (both server-level websocket_options.compress and per-upgrade compress: true).

Since the vulnerability is triggered by a single highly compressed WebSocket frame that decompresses to a very large size, monitoring for unusually large memory usage or OOM kills on the BEAM node during WebSocket connections can be an indicator.

To detect if your system is vulnerable, you can check the Bandit version and configuration settings related to WebSocket compression.

  • Check Bandit version installed (example command):
  • mix deps | grep bandit
  • Check if websocket_options.compress is enabled in your Bandit server configuration files.
  • Check if compress: true is passed to WebSockAdapter.upgrade/4 in your application code.

For network detection, you can monitor WebSocket traffic for frames with suspiciously high compression ratios or unusually large decompressed payloads, but this requires deep packet inspection and custom tooling.

No specific commands for direct detection of the attack frames are provided in the resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart