CVE-2026-49755: Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1.
Metrics
- CVSS v4.0
- 8.2
- Severity
- HIGH
- Fixed in
- 0.6.1
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A decompression bomb vulnerability in the Elixir HTTP client library Req allows an attacker-controlled server to exhaust memory in any process using the library as a client. The attack is reachable over the network without authentication, because Req's default response pipeline automatically decompresses archive and encoded response bodies with no size limits. Successful exploitation crashes the BEAM process handling the response, causing a denial of service. A patched-image rebuild at version 0.6.1 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-49755 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Req library. Any image found to contain req versions 0.1.0 through 0.6.0 is flagged automatically in the registry and CI pipeline scan results.
AvailableHarborGuard scores this CVE at 8.2 HIGH using the CVSS v4.0 vector, and that score is surfaced alongside per-environment compliance policy weighting so teams can calibrate urgency against their own risk thresholds. Triage findings are routed to the appropriate inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild pinned to req 0.6.1 (or commit 84977e5b1a83f26e749d55ad06e3625464af4e8d for source-pinned dependencies) becomes available on HarborGuard for every affected image once the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The affected code runs as an HTTP client; the attacker must operate or control an HTTP server reachable over the network from the victim process, including servers reached via automatic redirect following.
- AuthenticationNot required
No credentials or account are needed; the attack is delivered via a crafted HTTP response to any outbound request the client makes.
- Victim interactionNot required
No user action is required; the decompression executes automatically as part of Req's default response pipeline whenever the client receives a response.
- Attack complexityDetail
The CVSS vector carries AT:P (attack requirements present), meaning the attacker must be in a position to serve or influence the HTTP response, such as operating the target server or sitting on a redirect path, but no race condition or memory-layout knowledge is needed once that position is established.
Blast Radius
- Exhausts heap memory in the BEAM VM process handling the HTTP response, crashing that process.
- A sub-megabyte compressed payload can expand to multiple gigabytes in memory, so a single malicious response is sufficient to trigger the crash.
- Any Elixir application relying on Req for outbound HTTP calls, including background jobs, health checks, and API integrations, is affected if it contacts an attacker-controlled host.
- Service availability is lost for the affected process and any work it was performing; depending on supervision strategy, repeated crashes can take down broader application components.
How HarborGuard Handles This
Available on HarborGuard: images containing req versions 0.1.0 through 0.6.0 are matched against this CVE automatically on every scan cycle. For customers who opt into auto-remediation, HarborGuard rebuilds the image at req 0.6.1, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the finding is surfaced with severity 8.2 HIGH so teams can prioritize a manual rebuild. As a compensating control before patching, network policy rules that restrict which external hosts application pods may reach can reduce the set of servers capable of delivering a malicious response; egress filtering to allowlisted API endpoints is the most direct mitigation until the patched image is deployed.
- wojtekmach / req< 0.6.1 (from 0.1.0)
- wojtekmach / req< 84977e5b1a83f26e749d55ad06e3625464af4e8d (from e37753741cbdc725e6aba3d977b380163bfc0ecb)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N