{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/erlang/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["bandit (\u003e= 0.5.8, \u003c 1.11.0)"],"_cs_severities":["high"],"_cs_tags":["websocket","denial-of-service","erlang"],"_cs_type":"advisory","_cs_vendors":["Erlang"],"content_html":"\u003cp\u003eBandit, a web server for the Erlang ecosystem, is vulnerable to a denial-of-service (DoS) attack. The vulnerability exists in versions 0.5.8 before 1.11.0 when the \u003ccode\u003epermessage-deflate\u003c/code\u003e WebSocket extension is enabled. An unauthenticated client can send a small, specially crafted compressed WebSocket frame that, when decompressed, expands to a significantly larger size, exhausting the server\u0026rsquo;s memory. This occurs because the inflate step within Bandit lacks an output-size cap. This vulnerability affects applications that have explicitly enabled \u003ccode\u003ecompress: true\u003c/code\u003e when upgrading a connection to a WebSocket, as stock Phoenix and LiveView apps default to \u003ccode\u003ecompress: false\u003c/code\u003e. The attack occurs before any application-level code execution, making it difficult to mitigate without patching the Bandit library itself.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated client establishes a TCP connection to the Bandit server.\u003c/li\u003e\n\u003cli\u003eThe client sends a WebSocket handshake request with \u003ccode\u003eSec-WebSocket-Extensions: permessage-deflate\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Bandit server negotiates the \u003ccode\u003epermessage-deflate\u003c/code\u003e extension if both \u003ccode\u003ewebsocket_options.compress\u003c/code\u003e and \u003ccode\u003econnection_opts.compress\u003c/code\u003e are true.\u003c/li\u003e\n\u003cli\u003eThe client sends a WebSocket text frame with the RSV1 bit set to 1, indicating compressed data. The compressed frame is crafted to have a high compression ratio (e.g., 1024:1).\u003c/li\u003e\n\u003cli\u003eThe Bandit server receives the compressed frame and begins decompression using \u003ccode\u003e:zlib.inflate/2\u003c/code\u003e in \u003ccode\u003elib/bandit/websocket/permessage_deflate.ex\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe inflation process lacks any output-size limit, allowing the decompressed data to grow unbounded in memory.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eIO.iodata_to_binary/1\u003c/code\u003e materializes the entire decompressed payload into a single binary in the connection process\u0026rsquo;s heap.\u003c/li\u003e\n\u003cli\u003eThe server exhausts its available memory, leading to a denial-of-service condition as the BEAM process is OOM-killed or becomes unresponsive.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in a denial-of-service condition, potentially crashing the BEAM and rendering the Bandit-fronted application unavailable. A single, small compressed frame (~6MiB in the provided PoC) is sufficient to trigger the vulnerability, and concurrent connections will amplify the impact linearly. Applications that have enabled permessage-deflate for bandwidth savings are particularly at risk, as they may not be aware of the inherent unbounded-inflate DoS. This can affect any service using Bandit webserver which explicitly enables the \u003ccode\u003ecompress\u003c/code\u003e option, leading to potential service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDisable the \u003ccode\u003ecompress: true\u003c/code\u003e option when calling \u003ccode\u003eWebSockAdapter.upgrade/4\u003c/code\u003e as a temporary workaround to mitigate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor process memory usage on systems running Bandit web servers, looking for sudden and significant increases, particularly after WebSocket connections are established. Consider creating a Sigma rule for this behavior based on process memory metrics.\u003c/li\u003e\n\u003cli\u003eUpgrade to Bandit version 1.11.0 or later once available to address the vulnerability with the fix suggested: \u0026ldquo;thread a maximum-output-size through to inflate and either error out or return resumable chunks once exceeded, mirroring how the HTTP content-length path bounds reads via \u003ccode\u003e:length\u003c/code\u003e.\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting WebSocket handshake with \u003ccode\u003epermessage-deflate\u003c/code\u003e to identify potentially vulnerable configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T03:36:13Z","date_published":"2026-05-07T03:36:13Z","id":"/briefs/2026-05-bandit-websocket-inflate-dos/","summary":"Bandit versions 0.5.8 before 1.11.0 are vulnerable to denial of service when permessage-deflate is enabled, allowing an unauthenticated client to exhaust the BEAM's memory with a single, small, compressed WebSocket frame due to unbounded decompression.","title":"Bandit WebSocket permessage-deflate unbounded inflate leads to DoS","url":"https://feed.craftedsignal.io/briefs/2026-05-bandit-websocket-inflate-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Erlang","version":"https://jsonfeed.org/version/1.1"}