CVE-2026-49755
Received Received - Intake
Memory Exhaustion via Decompression Bomb in Req

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: EEF

Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-49755
EUVD
EUVD-2026-35098
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wojtekmach req From 0.1.0 (inc) to 0.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49755 is a decompression bomb denial-of-service vulnerability in the Req library for Elixir/Erlang. It occurs because the library's default response pipeline automatically decodes and decompresses archive files (ZIP, TAR, GZIP) and content-encoded responses without enforcing size limits.

An attacker-controlled HTTP server can send a small compressed response (under 1MB) that expands to multiple gigabytes when decompressed by the Req client, exhausting memory and crashing the BEAM process.

The vulnerability arises from improper handling of highly compressed data, where no per-entry or total size caps are enforced during decompression.

Compliance Impact

CVE-2026-49755 is a denial-of-service vulnerability that can crash the BEAM runtime by exhausting memory through decompression bombs in the Req library. This primarily impacts system availability.

While the vulnerability does not directly disclose or manipulate personal or sensitive data, the resulting denial of service could affect the availability of systems processing regulated data under standards like GDPR or HIPAA.

Disruptions caused by this vulnerability could lead to non-compliance with availability requirements in such regulations, potentially impacting service continuity and data processing obligations.

Impact Analysis

This vulnerability can lead to a denial-of-service condition by exhausting the memory of the Req client application.

A malicious server can send a small compressed response that expands massively in memory, causing the BEAM runtime to crash and potentially impacting all workloads running on the same VM.

The attack requires no authentication and can affect any Elixir application using Req with its default pipeline to fetch URLs from untrusted sources, such as webhooks, link previews, OAuth clients, and redirects.

Detection Guidance

Detection of this vulnerability involves monitoring for unusually large memory usage or crashes in applications using the Req library versions from 0.1.0 to before 0.6.1 when processing HTTP responses.

Since the vulnerability is triggered by attacker-controlled HTTP servers sending highly compressed response bodies that decompress into very large sizes, you can look for requests to untrusted or suspicious URLs that return compressed content types such as application/zip, application/x-tar, or application/gzip.

Commands to detect potential exploitation attempts could include monitoring logs for requests made by Req clients to suspicious endpoints and checking memory usage of the BEAM process.

  • Use system monitoring tools like `top`, `htop`, or `ps` to observe BEAM process memory spikes.
  • Check application logs for HTTP responses with content-type headers indicating compressed archives (e.g., application/zip, application/x-tar, application/gzip).
  • Use network monitoring tools like `tcpdump` or `wireshark` to capture HTTP traffic and filter for suspicious content-encoding or content-type headers.
  • If you have access to the application code or runtime, add logging around Req client calls to record response headers and sizes.
Mitigation Strategies

Immediate mitigation steps include disabling automatic response body decoding and decompression in the Req client when making requests to untrusted URLs.

Specifically, update the Req library to version 0.6.1 or later, where automatic decompression is disabled by default and must be explicitly enabled with the `compressed: true` option.

If upgrading is not immediately possible, configure your Req client to use the `:raw` option to disable both decompression and decoding of response bodies.

  • Upgrade Req library to version 0.6.1 or later.
  • Disable automatic decompression by not setting `compressed: true` in Req requests.
  • Use the `:raw` option in Req requests to avoid decompression and decoding.
  • Avoid making requests to untrusted or attacker-controlled servers using Req without these mitigations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart