Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.

Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.

Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.

This issue affects req: from 0.1.0 before 0.6.1.
Published: 2026-06-08
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker-controlled HTTP server to send response bodies that decompress to an excessively large amount of data, exhausting the memory of a Req client process. Req automatically decodes archive formats such as ZIP, TAR, and GZIP and decompresses content-encoding chains, but the default pipelines have no limits on either the number of entries or the total size of the decompressed data. By controlling the Content-Type or Content-Encoding headers, an attacker can cause a sub-megabyte response to inflate to several gigabytes, leading to a denial-of-service crash of the BEAM process.

Affected Systems

The issue affects the wojtekmach Req HTTP client, a library for Erlang/Elixir used in many projects. All releases from version 0.1.0 up to, but not including, 0.6.1 are vulnerable. The library is identified in CNA data as wojtekmach:req.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity exploit. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack requires only that the client contact an HTTP server that supplies a compressed response with Content-Type or Content-Encoding headers that trigger the auto-decode pipeline. An attacker can trigger the bug by hosting a specially crafted Zip, Tar, or Gzip payload or by chaining multiple gzip encodings. The exploit is remote, does not require privileged access to the client, and can be performed by any network attacker able to influence the server's response.

Generated by OpenCVE AI on June 8, 2026 at 16:38 UTC.

Remediation

Vendor Workaround

Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing decode_body: false to Req.new/1 / Req.get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.

OpenCVE Recommended Actions

  • Disable automatic body decoding by passing `decode_body: false` or `raw: true` when creating a Req request such as with `Req.new/1` or `Req.get!/1`.
  • Avoid following automatic redirects to untrusted hosts or configure Req to not follow redirects.
  • Upgrade to a patched version of Req that removes or limits the unbounded decompression (0.6.1 or later).
  • Consider setting a maximum size for response bodies and processing them in a streaming manner to prevent memory exhaustion.

Generated by OpenCVE AI on June 8, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.
Title Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies
First Time appeared Wojtekmach
Wojtekmach req
Weaknesses CWE-409
CPEs cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*
Vendors & Products Wojtekmach
Wojtekmach req
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wojtekmach Req
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-08T17:14:08.858Z

Reserved: 2026-06-01T13:45:22.448Z

Link: CVE-2026-49755

cve-icon Vulnrichment

Updated: 2026-06-08T16:49:41.908Z

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:43.860

Modified: 2026-06-08T17:16:52.627

Link: CVE-2026-49755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:45:16Z

Weaknesses