CVE-2026-39804

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-39804

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-39804.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-39804

Aliases

Published

2026-05-01T20:34:24.604Z

Modified

2026-05-18T06:00:06.929470963Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

WebSocket permessage-deflate inflate has no output-size cap in bandit

Details

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.

'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessagedeflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodatatobinary/1. The websocketoptions.maxframesize option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.

An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill.

This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.

This issue affects bandit: from 0.5.9 before 1.11.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39804.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "da4027cff7d2b80319e76fe7a32f84beceec490a"
                },
                {
                    "fixed": "8156921a51e684a951221da7bc30a70a022f722e"
                }
            ]
        }
    ],
    "cna_assigner": "EEF",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/mtrudel/bandit

Affected ranges

Type: GIT
Repo: https://github.com/mtrudel/bandit
Events: Introduced

81f0928ec9e92bc70354015435896f03393b1c05

Fixed

e62619895d0d2584d7ffa57d43ef6f72437dfaff

Affected versions

0.*

0.5.10

0.5.11

0.5.9

0.6.0

0.6.1

0.6.10

0.6.11

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

1.*

1.0.0

1.0.0-pre.1

1.0.0-pre.10

1.0.0-pre.11

1.0.0-pre.12

1.0.0-pre.13

1.0.0-pre.14

1.0.0-pre.15

1.0.0-pre.16

1.0.0-pre.17

1.0.0-pre.18

1.0.0-pre.2

1.0.0-pre.3

1.0.0-pre.4

1.0.0-pre.5

1.0.0-pre.6

1.0.0-pre.7

1.0.0-pre.8

1.0.0-pre.9

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.1

1.10.2

1.10.3

1.10.4

1.2.0

1.2.3

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.6.0

1.6.1

1.6.10

1.6.11

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.7.0

1.8.0

1.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-39804.json"