Skip to content
Threat Feed

Tag

Elixir

5 briefs RSS
medium advisory

Tesla Elixir Client Decompression Bomb (CVE-2026-48594)

A critical vulnerability, CVE-2026-48594, in the Tesla Elixir HTTP client library allows an attacker to cause a denial of service by serving a specially crafted HTTP response with multiple `content-encoding` headers that, when processed by vulnerable versions (0.6.0 through 1.18.2) of the client using `Tesla.Middleware.DecompressResponse` or `Tesla.Middleware.Compression`, leads to exponential memory expansion and application crashes.

tesla resource-exhaustion denial-of-service library-vulnerability elixir
1t 1c
high advisory

Tesla Elixir HTTP Client Header Leak via Case-Sensitive Redirect Filtering (CVE-2026-48595)

A vulnerability in the `Tesla.Middleware.FollowRedirects` component of the `tesla` Elixir HTTP client library allows `Authorization` headers to be leaked during cross-origin redirects due to a case-sensitive comparison, enabling an attacker controlling a redirect destination to receive bearer tokens or other credentials from applications using `tesla` versions 0.6.0 through 1.18.2.

tesla credential-access exfiltration vulnerability elixir http-client
2t 1c
medium advisory

Tesla HTTP Client Library Vulnerable to Atom Exhaustion Leading to Denial of Service (CVE-2026-48597)

A high-severity denial-of-service vulnerability (CVE-2026-48597) in the `Tesla.Adapter.Mint` component of the Elixir Tesla HTTP client library, affecting versions 1.3.0 through 1.18.2, allows an unauthenticated attacker to crash the underlying BEAM VM by supplying untrusted URL schemes, leading to atom exhaustion.

tesla denial-of-service elixir erlang vulnerability web-application
1t 1c
medium advisory

Mint HTTP/2 Client Vulnerable to Unbounded CONTINUATION Frame Accumulation (CVE-2026-49754)

A malicious or compromised HTTP/2 server can exploit CVE-2026-49754 in the Elixir Mint HTTP/2 client by sending an endless chain of CONTINUATION frames without an END_HEADERS flag, leading to unbounded memory accumulation, process exhaustion, and remote unauthenticated denial-of-service.

Mint http/2 denial-of-service vulnerability elixir
1t 1c
medium advisory

Mint HTTP/2 Client Unbounded Stream Map Growth Denial-of-Service (CVE-2026-48862)

A malicious or compromised HTTP/2 server can exploit CVE-2026-48862 in Mint HTTP/2 clients by flooding them with PUSH_PROMISE frames and withholding corresponding HEADERS, leading to unbounded memory consumption and denial-of-service.

Mint denial-of-service http/2 elixir client-side vulnerability
1t 1c