Tesla Elixir Client Decompression Bomb (CVE-2026-48594)
A critical vulnerability, CVE-2026-48594, in the Tesla Elixir HTTP client library allows an attacker to cause a denial of service by serving a specially crafted HTTP response with multiple `content-encoding` headers that, when processed by vulnerable versions (0.6.0 through 1.18.2) of the client using `Tesla.Middleware.DecompressResponse` or `Tesla.Middleware.Compression`, leads to exponential memory expansion and application crashes.
A high-severity vulnerability, tracked as CVE-2026-48594, exists in the Tesla Elixir HTTP client library, specifically affecting versions 0.6.0 through 1.18.2. This flaw, dubbed a "decompression bomb," can be exploited by an attacker who controls a server that a vulnerable Tesla client contacts, or via a redirect. The vulnerability arises when the Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression middleware component eagerly decompresses HTTP response bodies without any size limits. An attacker can craft a minuscule gzip-encoded payload coupled with multiple content-encoding headers (e.g., gzip, gzip, gzip, gzip), which, upon recursive decompression, expands exponentially into gigabytes of data on the BEAM heap. This excessive memory consumption inevitably leads to the client application crashing or freezing, effectively causing a denial of service. Defenders must ensure that applications utilizing the affected tesla library are patched to version 1.18.3 or later to mitigate this risk.
Attack Chain
- An attacker gains control of a server or compromises a legitimate server that a victim's Tesla client application is likely to contact.
- The attacker configures the server to serve a specially crafted HTTP response.
- The crafted response includes a tiny gzip-compressed payload that is designed to expand significantly upon decompression.
- Crucially, the response features multiple
content-encodingheaders, such asgzip, gzip, gzip, gzip, to trigger recursive decompression. - A legitimate application, running an affected
teslalibrary version (0.6.0 to 1.18.2) and configured withTesla.Middleware.DecompressResponseorTesla.Middleware.Compression, makes an HTTP request to the attacker-controlled server. - The
teslaclient receives the malicious HTTP response from the attacker's server. - The
decompress_body/2function within theteslamiddleware attempts to decompress the response recursively for eachcontent-encodingtoken, without any output size validation. - This process exponentially inflates the small payload into gigabytes of data within the BEAM heap, exhausting the application's memory resources and causing it to crash or freeze, resulting in a denial of service.
Impact
The impact of CVE-2026-48594 is a denial of service (DoS) for any application utilizing the affected tesla client library (versions 0.6.0 through 1.18.2) with the Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression middleware. The attacker's objective is to render the targeted application unusable by forcing it to consume all available memory. A successful attack can lead to application downtime, data processing failures, and disruption of critical services, potentially affecting any sector relying on Elixir applications performing HTTP requests with the vulnerable middleware. This vulnerability carries a high severity CVSS v4.0 score of 8.2.
Recommendation
- Patch CVE-2026-48594 by upgrading the
erlang/teslapackage to version 1.18.3 or later immediately. - Review applications for the inclusion of
Tesla.Middleware.DecompressResponseorTesla.Middleware.Compressionin their Tesla middleware pipeline. If present, ensure they are running patched versions. - Implement application-level monitoring for abnormal and sudden increases in memory consumption by Elixir applications, especially those making outbound HTTP requests, to detect potential exploitation attempts.