CVE-2026-39804
Allocation of Resources Without Limits or Throttling in Bandit WebSocket
Publication date: 2026-05-01
Last updated on: 2026-05-05
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mtrudel | bandit | From 0.5.9 (inc) to 1.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Allocation of Resources Without Limits or Throttling issue in the mtrudel bandit library. It occurs when WebSocket permessage-deflate compression is enabled. Specifically, the function responsible for decompressing WebSocket frames does not limit the size of the decompressed output, allowing an attacker to send a highly compressed frame that decompresses into a very large payload.
Because the decompression process materializes the entire decompressed payload in memory without size restrictions, an unauthenticated attacker who can open a WebSocket connection can send a single malicious frame that exhausts the server's memory, causing a denial of service by triggering an out-of-memory (OOM) kill.
This vulnerability requires both server-level compression options and per-connection compression to be enabled. Default Phoenix and LiveView applications are not affected because they disable this compression by default.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 are not enabled simultaneously.
Since stock Phoenix and LiveView applications default to compress: false, using these defaults can help avoid exposure.
Additionally, upgrading bandit to version 1.11.0 or later will resolve this issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Bandit server is running a vulnerable version (0.5.9 to before 1.11.0) with WebSocket permessage-deflate compression enabled (both server-level websocket_options.compress and per-upgrade compress: true).
Since the vulnerability is triggered by a single highly compressed WebSocket frame that decompresses to a very large size, monitoring for unusually large memory usage or OOM kills on the BEAM node during WebSocket connections can be an indicator.
To detect if your system is vulnerable, you can check the Bandit version and configuration settings related to WebSocket compression.
- Check Bandit version installed (example command):
- mix deps | grep bandit
- Check if websocket_options.compress is enabled in your Bandit server configuration files.
- Check if compress: true is passed to WebSockAdapter.upgrade/4 in your application code.
For network detection, you can monitor WebSocket traffic for frames with suspiciously high compression ratios or unusually large decompressed payloads, but this requires deep packet inspection and custom tooling.
No specific commands for direct detection of the attack frames are provided in the resources.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a remote denial of service (DoS). An attacker can exhaust the server's memory by sending a specially crafted compressed WebSocket frame, causing the server process to be killed due to out-of-memory conditions.
This can lead to service unavailability, disruption of normal operations, and potential downtime until the server is restarted or recovered.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.