{"id":"CVE-2026-49755","summary":"Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies","details":"Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.\n\nReq's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.\n\nBoth steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.\n\nThis issue affects req: from 0.1.0 before 0.6.1.","aliases":["EEF-CVE-2026-49755","GHSA-655f-mp8p-96gv"],"modified":"2026-06-18T03:56:49.784460461Z","published":"2026-06-08T15:20:57.415Z","database_specific":{"cna_assigner":"EEF","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"e37753741cbdc725e6aba3d977b380163bfc0ecb"},{"fixed":"84977e5b1a83f26e749d55ad06e3625464af4e8d"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49755.json","cwe_ids":["CWE-409"]},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-49755.html"},{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-49755"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49755.json"},{"type":"ADVISORY","url":"https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49755"},{"type":"FIX","url":"https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d"},{"type":"PACKAGE","url":"https://github.com/wojtekmach/req"},{"type":"PACKAGE","url":"https://github.com/wojtekmach/req.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wojtekmach/req","events":[{"introduced":"ce7113a52efd04012c6f9e8d0b8267439f5fd6b8"},{"fixed":"36a82523e864739787340604f65ecce26699a0a9"},{"fixed":"84977e5b1a83f26e749d55ad06e3625464af4e8d"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0.1.0"},{"fixed":"0.6.1"}]}}],"versions":["v0.6.0","v0.5.18","v0.5.17","v0.5.16","v0.5.14","v0.5.13","v0.5.12","v0.5.11","v0.5.10","v0.5.9","v0.5.8","v0.5.7","v0.5.6","v0.5.5","v0.5.4","v0.5.3","v0.5.2","v0.5.1","v0.5.0","v0.4.14","v0.4.13","v0.4.12","v0.4.11","v0.4.10","v0.4.9","v0.4.8","v0.4.7","v0.4.6","v0.4.5","v0.4.4","v0.3.11","v0.4.3","v0.4.2","v0.4.1","v0.4.0","v0.3.10","v0.3.9","v0.3.8","v0.3.7","v0.3.6","v0.3.5","v0.3.4","v0.3.3","v0.3.2","v0.3.1","v0.3.0","v0.2.1","v0.2.0","v0.1.1","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49755.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}