CVE-2026-49755

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-49755
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49755.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-49755
Aliases
Published
2026-06-08T15:20:57.415Z
Modified
2026-06-18T03:56:49.784460461Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies
Details

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.

Req's default response pipeline includes Req.Steps.decodebody/1 and Req.Steps.decompressbody/1 in lib/req/steps.ex. decodebody/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erltar.extract({:binary, body}, [:memory]) for application/x-tar, and :erltar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompressbody/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.

Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.

This issue affects req: from 0.1.0 before 0.6.1.

Database specific 
{
    "cwe_ids": [
        "CWE-409"
    ],
    "cna_assigner": "EEF",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49755.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "e37753741cbdc725e6aba3d977b380163bfc0ecb"
                },
                {
                    "fixed": "84977e5b1a83f26e749d55ad06e3625464af4e8d"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/wojtekmach/req

Affected ranges

Type
GIT
Repo
https://github.com/wojtekmach/req
Events
Introduced
ce7113a52efd04012c6f9e8d0b8267439f5fd6b8
Fixed
36a82523e864739787340604f65ecce26699a0a9
Fixed
84977e5b1a83f26e749d55ad06e3625464af4e8d
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0.1.0"
        },
        {
            "fixed": "0.6.1"
        }
    ],
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.13
v0.4.14
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.16
v0.5.17
v0.5.18
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49755.json"