Skip to main content

Tesla (Elixir HTTP client) EUVDEUVD-2026-34015

| CVE-2026-48594 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-06-02 EEF GHSA-mc85-72gr-vm9f
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 02, 2026 - 20:28 vuln.today
Analysis Generated
Jun 02, 2026 - 20:28 vuln.today
CVSS changed
Jun 02, 2026 - 20:22 NVD
8.2 (HIGH)

DescriptionCVE.org

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.

When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.

This issue affects tesla: from 0.6.0 before 1.18.3.

AnalysisAI

Denial-of-service in elixir-tesla Tesla versions 0.6.0 through 1.18.2 allows remote servers to crash or freeze calling Elixir/BEAM processes by returning a tiny gzip- or deflate-encoded response body that decompresses into gigabytes. The flaw lives in Tesla.Middleware.DecompressResponse / Tesla.Middleware.Compression, which eagerly inflated response bodies with no size cap and recursed once per token in the content-encoding header, so a header of 'gzip, gzip, gzip, gzip' produced exponential amplification. No public exploit identified at time of analysis, but the vendor has shipped a patch in 1.18.3 and the CVSS 4.0 score of 8.2 (VA:H) reflects high availability impact.

Technical ContextAI

Tesla is a widely used HTTP client library for Elixir applications running on the BEAM virtual machine. The vulnerable code is in lib/tesla/middleware/compression.ex, where decompress_body/2 passed the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 in one shot and recursed across every comma-separated token in the content-encoding header. CWE-409 (Improper Handling of Highly Compressed Data / 'decompression bomb') is the root-cause class: gzip can achieve ~1000x ratios per layer, so four stacked layers (a few hundred bytes on the wire) inflate to gigabytes that the BEAM holds entirely in heap before yielding control. CPE 2.3 pins the affected product as cpe:2.3:a:elixir-tesla:tesla covering all versions in the 0.6.0-1.18.2 range.

RemediationAI

Upgrade the tesla Hex dependency to 1.18.3 or later, which lands the fix in commit 340f75b5d191dc747ef7ac6365bd002d1cd55a9d (Vendor-released patch: 1.18.3). The patched middleware now requires an explicit :max_body_size option (e.g. {Tesla.Middleware.Compression, format: "gzip", max_body_size: 32 * 1024 * 1024}), streams inflation through :zlib.safeInflate/2 so the cap aborts decompression before the full body materializes, and refuses responses that advertise more than one supported content-encoding codec by raising Tesla.Middleware.Compression.Error - note this is a behavioral break that will surface as ArgumentError on startup until every Compression middleware call site is updated. If you cannot upgrade immediately, remove Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression from middleware pipelines that talk to untrusted hosts (trade-off: callers must handle compressed bodies manually or accept uncompressed responses), restrict outbound HTTP via an egress proxy that strips or rejects content-encoding stacking, and constrain the BEAM with per-process heap limits (max_heap_size) so a single runaway decompression does not exhaust the node. See the advisory at https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f for full guidance.

Share

EUVD-2026-34015 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy