Description
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.

'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.

An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill.

This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.

This issue affects bandit: from 0.5.9 before 1.11.0.
Published: 2026-05-01
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bandit’s WebSocket permessage‑deflate inflate path uses :zlib.inflate/2 without an output‑size cap, resulting in unbounded memory allocation when a high‑ratio compressed frame is received. An attacker can send a single compressed frame under any configured on‑wire size limit yet trigger gigabyte‑scale heap allocations, exhausting the BEAM node’s memory and causing an OOM kill. The flaw is a classic allocation of resources without limits or throttling (CWE-770).

Affected Systems

The vulnerability affects Bandit versions from 0.5.9 up to, but not including, 1.11.0. The flaw exists only when the server level websocket_options.compress is enabled and the WebSockAdapter.upgrade/4 call includes compress: true. Default Phoenix and LiveView applications are not impacted because they default to compress: false.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, and exploitation requires only an unauthenticated WebSocket connection. No EPSS score is available and it is not listed in the CISA KEV catalog, but the absence of authentication and the ability to exhaust memory make obtaining a successful denial of service straightforward for anyone able to open a WebSocket connection to a vulnerable Bandit instance.

Generated by OpenCVE AI on May 2, 2026 at 06:58 UTC.

Remediation

Vendor Workaround

Do not pass compress: true to WebSockAdapter.upgrade/4. Omitting this option (or setting it to false) prevents permessage-deflate from being negotiated, so the inflate path is never reached.

OpenCVE Recommended Actions

  • Update Bandit to version 1.11.0 or later, which removes the unbounded inflate path.
  • If an upgrade is not yet possible, configure Bandit to disable WebSocket permessage‑deflate by setting websocket_options.compress to false at the server level.
  • When creating a WebSocket upgrade, avoid passing compress: true to WebSockAdapter.upgrade/4; use compress: false or omit the option.

Generated by OpenCVE AI on May 2, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0.
Title WebSocket permessage-deflate inflate has no output-size cap in bandit
First Time appeared Mtrudel
Mtrudel bandit
Weaknesses CWE-770
CPEs cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*
Vendors & Products Mtrudel
Mtrudel bandit
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mtrudel Bandit
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-02T04:17:35.717Z

Reserved: 2026-04-07T12:28:54.916Z

Link: CVE-2026-39804

cve-icon Vulnrichment

Updated: 2026-05-02T01:19:30.826Z

cve-icon NVD

Status : Received

Published: 2026-05-01T21:16:16.853

Modified: 2026-05-02T02:16:00.013

Link: CVE-2026-39804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses