<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tesla (&gt;= 0.6.0, &lt; 1.18.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tesla--0.6.0--1.18.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 00:08:28 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tesla--0.6.0--1.18.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tesla Elixir Client Decompression Bomb (CVE-2026-48594)</title><link>https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/</link><pubDate>Fri, 10 Jul 2026 00:08:28 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/</guid><description>A critical vulnerability, CVE-2026-48594, in the Tesla Elixir HTTP client library allows an attacker to cause a denial of service by serving a specially crafted HTTP response with multiple `content-encoding` headers that, when processed by vulnerable versions (0.6.0 through 1.18.2) of the client using `Tesla.Middleware.DecompressResponse` or `Tesla.Middleware.Compression`, leads to exponential memory expansion and application crashes.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, tracked as CVE-2026-48594, exists in the Tesla Elixir HTTP client library, specifically affecting versions 0.6.0 through 1.18.2. This flaw, dubbed a &quot;decompression bomb,&quot; can be exploited by an attacker who controls a server that a vulnerable Tesla client contacts, or via a redirect. The vulnerability arises when the <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code> middleware component eagerly decompresses HTTP response bodies without any size limits. An attacker can craft a minuscule gzip-encoded payload coupled with multiple <code>content-encoding</code> headers (e.g., <code>gzip, gzip, gzip, gzip</code>), which, upon recursive decompression, expands exponentially into gigabytes of data on the BEAM heap. This excessive memory consumption inevitably leads to the client application crashing or freezing, effectively causing a denial of service. Defenders must ensure that applications utilizing the affected <code>tesla</code> library are patched to version 1.18.3 or later to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains control of a server or compromises a legitimate server that a victim's Tesla client application is likely to contact.</li>
<li>The attacker configures the server to serve a specially crafted HTTP response.</li>
<li>The crafted response includes a tiny gzip-compressed payload that is designed to expand significantly upon decompression.</li>
<li>Crucially, the response features multiple <code>content-encoding</code> headers, such as <code>gzip, gzip, gzip, gzip</code>, to trigger recursive decompression.</li>
<li>A legitimate application, running an affected <code>tesla</code> library version (0.6.0 to 1.18.2) and configured with <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code>, makes an HTTP request to the attacker-controlled server.</li>
<li>The <code>tesla</code> client receives the malicious HTTP response from the attacker's server.</li>
<li>The <code>decompress_body/2</code> function within the <code>tesla</code> middleware attempts to decompress the response recursively for each <code>content-encoding</code> token, without any output size validation.</li>
<li>This process exponentially inflates the small payload into gigabytes of data within the BEAM heap, exhausting the application's memory resources and causing it to crash or freeze, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-48594 is a denial of service (DoS) for any application utilizing the affected <code>tesla</code> client library (versions 0.6.0 through 1.18.2) with the <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code> middleware. The attacker's objective is to render the targeted application unusable by forcing it to consume all available memory. A successful attack can lead to application downtime, data processing failures, and disruption of critical services, potentially affecting any sector relying on Elixir applications performing HTTP requests with the vulnerable middleware. This vulnerability carries a high severity CVSS v4.0 score of 8.2.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-48594</strong> by upgrading the <code>erlang/tesla</code> package to version 1.18.3 or later immediately.</li>
<li>Review applications for the inclusion of <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code> in their Tesla middleware pipeline. If present, ensure they are running patched versions.</li>
<li>Implement application-level monitoring for abnormal and sudden increases in memory consumption by Elixir applications, especially those making outbound HTTP requests, to detect potential exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>resource-exhaustion</category><category>denial-of-service</category><category>library-vulnerability</category><category>elixir</category></item><item><title>Tesla Elixir HTTP Client Header Leak via Case-Sensitive Redirect Filtering (CVE-2026-48595)</title><link>https://feed.craftedsignal.io/briefs/2026-07-tesla-header-leak/</link><pubDate>Fri, 10 Jul 2026 00:07:45 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tesla-header-leak/</guid><description>A vulnerability in the `Tesla.Middleware.FollowRedirects` component of the `tesla` Elixir HTTP client library allows `Authorization` headers to be leaked during cross-origin redirects due to a case-sensitive comparison, enabling an attacker controlling a redirect destination to receive bearer tokens or other credentials from applications using `tesla` versions 0.6.0 through 1.18.2.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, CVE-2026-48595, has been identified in the <code>tesla</code> Elixir HTTP client library, specifically within its <code>Tesla.Middleware.FollowRedirects</code> component. This flaw impacts versions 0.6.0 up to, but not including, 1.18.3. The middleware is designed to strip sensitive <code>Authorization</code> headers when following cross-origin redirects to prevent credential leakage. However, its internal filter performs a case-sensitive comparison against a lowercase string <code>&quot;authorization&quot;</code>. Because <code>tesla</code> preserves header keys exactly as supplied, applications using the RFC 7235 canonical casing (<code>&quot;Authorization&quot;</code>) bypass this filter entirely. Consequently, if an application sends a request with an <code>Authorization</code> header using canonical casing and is redirected to an attacker-controlled origin, sensitive credentials like bearer tokens can be inadvertently leaked to the attacker. This poses a significant risk to applications relying on <code>tesla</code> for secure HTTP communications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker establishes control over a web server or service capable of issuing HTTP <code>302</code> redirects to an arbitrary, attacker-controlled domain (e.g., a malicious server, a redirect-open service, or a compromised upstream server).</li>
<li>A victim application, using the <code>tesla</code> Elixir HTTP client library (version 0.6.0 through 1.18.2) with <code>Tesla.Middleware.FollowRedirects</code> enabled, constructs an outbound HTTP request.</li>
<li>The victim application includes an <code>Authorization</code> header with canonical casing (e.g., <code>{&quot;Authorization&quot;, &quot;Bearer &lt;token&gt;&quot;}</code>) for authentication in its request.</li>
<li>The victim application sends its request to an endpoint, which the attacker can influence to issue an HTTP <code>302</code> (or similar redirect status code) pointing to the attacker-controlled domain.</li>
<li>The <code>Tesla.Middleware.FollowRedirects</code> component within the victim application attempts to filter sensitive headers before automatically following the redirect.</li>
<li>Due to a case-sensitive comparison logic (<code>&quot;authorization&quot;</code> vs. <code>&quot;Authorization&quot;</code>), the middleware fails to identify and strip the canonical <code>Authorization</code> header from the outgoing request.</li>
<li>The <code>tesla</code> client follows the redirect and inadvertently includes the sensitive <code>Authorization</code> header, complete with its bearer token or other credentials, in the request to the attacker-controlled domain, leading to credential theft.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability carries a high severity (CVSS v4.0: 8.2). Any application utilizing <code>tesla</code> versions 0.6.0 through 1.18.2 with <code>Tesla.Middleware.FollowRedirects</code> and supplying non-lowercase <code>Authorization</code> headers is at risk. Successful exploitation results in the leakage of sensitive credentials, such as bearer tokens, to an attacker-controlled endpoint. This can lead to unauthorized access to systems or data, session hijacking, and further compromise of the victim's environment, directly impacting the confidentiality and integrity of affected applications and their users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize upgrading the <code>tesla</code> Elixir HTTP client library to version 1.18.3 or later immediately to remediate CVE-2026-48595.</li>
<li>If immediate patching is not possible, implement the recommended workaround by normalizing all <code>Authorization</code> header keys to lowercase (e.g., <code>&quot;authorization&quot;</code>) before passing them to <code>tesla</code> via <code>Tesla.put_header/3</code> or <code>Tesla.Middleware.Headers</code>.</li>
<li>Review application code for the usage of <code>Tesla.Middleware.FollowRedirects</code> and how <code>Authorization</code> headers are set to identify potentially vulnerable instances.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>exfiltration</category><category>vulnerability</category><category>elixir</category><category>http-client</category></item></channel></rss>