Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.

When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.

This issue affects tesla: from 0.6.0 before 1.18.3.
Published: 2026-06-02
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Tesla’s middleware decompresses HTTP response bodies without imposing any size restriction. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is used, the decompress_body/2 function hands the entire body to :zlib.gunzip/1 or :zlib.unzip/1 without limiting the expansion. If a attacker supplies a response with repeated gzip layers, each layer can inflate the data roughly 1,000 times, causing the process to consume gigabytes of BEAM heap and eventually crash or become unresponsive. This results in a denial‑of‑service condition for the client process.

Affected Systems

Affected by this flaw are applications that depend on the elixir‑tesla library version 0.6.0 through 1.18.3 inclusive. The problem resides in Tesla version before 1.18.3 and was fixed in 1.18.3. Users running elixir‑tesla tesla in that version range should assess whether the middleware components are active in their HTTP client pipelines.

Risk and Exploitability

The CVSS score of 8.2 indicates a high‑severity impact, but the EPSS score is not available and the vulnerability is not listed in CISA KEV. The primary attack vector is likely a malicious HTTP response that an application receives. Because the middleware decompresses eagerly, any response with a crafted content‑encoding header such as “gzip, gzip, gzip, gzip” can trigger the recursive decompression and memory exhaustion. No authentication is required, so the attack could be performed by anyone who can send a response to the client.

Generated by OpenCVE AI on June 3, 2026 at 04:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade elixir‑tesla to version 1.18.3 or newer, where decompression size limits are enforced.
  • If upgrade cannot be applied immediately, remove Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression from the middleware pipeline so responses are not decompressed automatically.
  • Add a response size check before decompression or configure the client to reject responses with content‑encoding headers containing more than a single token to prevent recursive decompression.

Generated by OpenCVE AI on June 3, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3.
Title Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression
First Time appeared Elixir-tesla
Elixir-tesla tesla
Weaknesses CWE-409
CPEs cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Vendors & Products Elixir-tesla
Elixir-tesla tesla
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-tesla Tesla
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:12:25.393Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48594

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:38.193

Modified: 2026-06-02T20:16:38.193

Link: CVE-2026-48594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses