CVE-2026-48594
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service via Data Amplification in Tesla

Publication date: 2026-06-02

Last updated on: 2026-06-03

Assigner: EEF

Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-03
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-48594
EUVD
EUVD-2026-34015
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir-tesla tesla From 0.6.0 (inc) to 1.18.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48594 is a vulnerability in the elixir-tesla library that involves improper handling of highly compressed data, specifically a decompression bomb attack.

When the Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression middleware is used, HTTP response bodies are decompressed eagerly without any size limit.

The decompress_body/2 function passes the entire response body to decompression functions without capping the output size, and recursively decompresses each content-encoding token.

This recursive decompression can cause exponential amplification, where a small compressed payload expands to gigabytes of memory usage, exhausting system resources and crashing or freezing the process.

For example, a server advertising multiple gzip encodings (like "gzip, gzip, gzip, gzip") can cause four decompression passes, each expanding roughly 1000x, leading to massive memory consumption.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by exhausting memory resources on the BEAM virtual machine.

An attacker-controlled server can send a small compressed response that expands exponentially when decompressed, consuming gigabytes of memory.

This excessive memory usage can crash or freeze the affected application process or node, causing service disruption.

The vulnerability requires no special privileges and can be triggered remotely via network requests.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high memory usage or crashes in applications using the elixir-tesla library, especially when processing HTTP responses with multiple gzip content-encoding layers.

Since the vulnerability involves decompression bombs in HTTP response bodies, network detection can focus on identifying HTTP responses with suspiciously repeated or multiple gzip content-encoding headers, such as "gzip, gzip, gzip, gzip".

Commands to detect this might include network traffic inspection tools like tcpdump or Wireshark to filter HTTP responses with multiple gzip encodings, for example:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'content-encoding: gzip'
  • Using Wireshark, apply a display filter for HTTP responses and inspect the Content-Encoding header for multiple gzip entries.

On the application side, enabling detailed logging around Tesla HTTP client middleware decompression steps and monitoring for Tesla.Middleware.Compression.Error exceptions related to max_body_size_exceeded (if the fix is applied) can help detect exploitation attempts.

Mitigation Strategies

The primary immediate mitigation is to upgrade the elixir-tesla library to version 1.18.3 or later, where the vulnerability is fixed.

The fix introduces a mandatory :max_body_size option that limits the decompressed response size, preventing memory exhaustion from decompression bombs.

Additionally, the updated middleware rejects HTTP responses advertising multiple compression codecs, which are commonly used in decompression bomb attacks.

If upgrading immediately is not possible, consider implementing network-level controls to block or inspect HTTP responses with suspicious multiple gzip content-encoding headers.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart