{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-49755: Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-49755","status":"final","version":"1","initial_release_date":"2026-06-08T15:20:57.415Z","current_release_date":"2026-06-08T17:14:08.858Z","revision_history":[{"date":"2026-06-08T15:20:57.415Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.\n\nReq's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.\n\nBoth steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.\n\nThis issue affects req: from 0.1.0 before 0.6.1.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-49755 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-49755"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-49755"},{"category":"external","summary":"github.com","url":"https://github.com/wojtekmach/req/security/advisories/GHSA-655f-mp8p-96gv"},{"category":"external","summary":"cna.erlef.org","url":"https://cna.erlef.org/cves/CVE-2026-49755.html"},{"category":"external","summary":"osv.dev","url":"https://osv.dev/vulnerability/EEF-CVE-2026-49755"},{"category":"external","summary":"github.com","url":"https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d"}]},"product_tree":{"branches":[{"category":"vendor","name":"wojtekmach","branches":[{"category":"product_name","name":"req","branches":[{"category":"product_version_range","name":">=0.1.0 <0.6.1","product":{"name":"wojtekmach req >=0.1.0 <0.6.1","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"wojtekmach","branches":[{"category":"product_name","name":"req","branches":[{"category":"product_version_range","name":">=e37753741cbdc725e6aba3d977b380163bfc0ecb <84977e5b1a83f26e749d55ad06e3625464af4e8d","product":{"name":"wojtekmach req >=e37753741cbdc725e6aba3d977b380163bfc0ecb <84977e5b1a83f26e749d55ad06e3625464af4e8d","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-49755","title":"Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies","notes":[{"category":"description","text":"Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.\n\nReq's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.\n\nBoth steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.\n\nThis issue affects req: from 0.1.0 before 0.6.1.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","baseScore":8.2,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0.6.1, 84977e5b1a83f26e749d55ad06e3625464af4e8d.","product_ids":["CSAFPID-1","CSAFPID-2"],"url":"https://github.com/wojtekmach/req/commit/84977e5b1a83f26e749d55ad06e3625464af4e8d"}]}]}