{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/elixir-tesla/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48594"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tesla (\u003e= 0.6.0, \u003c 1.18.3)"],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","denial-of-service","library-vulnerability","elixir"],"_cs_type":"advisory","_cs_vendors":["elixir-tesla"],"content_html":"\u003cp\u003eA high-severity vulnerability, tracked as CVE-2026-48594, exists in the Tesla Elixir HTTP client library, specifically affecting versions 0.6.0 through 1.18.2. This flaw, dubbed a \u0026quot;decompression bomb,\u0026quot; can be exploited by an attacker who controls a server that a vulnerable Tesla client contacts, or via a redirect. The vulnerability arises when the \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e middleware component eagerly decompresses HTTP response bodies without any size limits. An attacker can craft a minuscule gzip-encoded payload coupled with multiple \u003ccode\u003econtent-encoding\u003c/code\u003e headers (e.g., \u003ccode\u003egzip, gzip, gzip, gzip\u003c/code\u003e), which, upon recursive decompression, expands exponentially into gigabytes of data on the BEAM heap. This excessive memory consumption inevitably leads to the client application crashing or freezing, effectively causing a denial of service. Defenders must ensure that applications utilizing the affected \u003ccode\u003etesla\u003c/code\u003e library are patched to version 1.18.3 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains control of a server or compromises a legitimate server that a victim's Tesla client application is likely to contact.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the server to serve a specially crafted HTTP response.\u003c/li\u003e\n\u003cli\u003eThe crafted response includes a tiny gzip-compressed payload that is designed to expand significantly upon decompression.\u003c/li\u003e\n\u003cli\u003eCrucially, the response features multiple \u003ccode\u003econtent-encoding\u003c/code\u003e headers, such as \u003ccode\u003egzip, gzip, gzip, gzip\u003c/code\u003e, to trigger recursive decompression.\u003c/li\u003e\n\u003cli\u003eA legitimate application, running an affected \u003ccode\u003etesla\u003c/code\u003e library version (0.6.0 to 1.18.2) and configured with \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e, makes an HTTP request to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etesla\u003c/code\u003e client receives the malicious HTTP response from the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edecompress_body/2\u003c/code\u003e function within the \u003ccode\u003etesla\u003c/code\u003e middleware attempts to decompress the response recursively for each \u003ccode\u003econtent-encoding\u003c/code\u003e token, without any output size validation.\u003c/li\u003e\n\u003cli\u003eThis process exponentially inflates the small payload into gigabytes of data within the BEAM heap, exhausting the application's memory resources and causing it to crash or freeze, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-48594 is a denial of service (DoS) for any application utilizing the affected \u003ccode\u003etesla\u003c/code\u003e client library (versions 0.6.0 through 1.18.2) with the \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e middleware. The attacker's objective is to render the targeted application unusable by forcing it to consume all available memory. A successful attack can lead to application downtime, data processing failures, and disruption of critical services, potentially affecting any sector relying on Elixir applications performing HTTP requests with the vulnerable middleware. This vulnerability carries a high severity CVSS v4.0 score of 8.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-48594\u003c/strong\u003e by upgrading the \u003ccode\u003eerlang/tesla\u003c/code\u003e package to version 1.18.3 or later immediately.\u003c/li\u003e\n\u003cli\u003eReview applications for the inclusion of \u003ccode\u003eTesla.Middleware.DecompressResponse\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Compression\u003c/code\u003e in their Tesla middleware pipeline. If present, ensure they are running patched versions.\u003c/li\u003e\n\u003cli\u003eImplement application-level monitoring for abnormal and sudden increases in memory consumption by Elixir applications, especially those making outbound HTTP requests, to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T00:08:28Z","date_published":"2026-07-10T00:08:28Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/","summary":"A critical vulnerability, CVE-2026-48594, in the Tesla Elixir HTTP client library allows an attacker to cause a denial of service by serving a specially crafted HTTP response with multiple `content-encoding` headers that, when processed by vulnerable versions (0.6.0 through 1.18.2) of the client using `Tesla.Middleware.DecompressResponse` or `Tesla.Middleware.Compression`, leads to exponential memory expansion and application crashes.","title":"Tesla Elixir Client Decompression Bomb (CVE-2026-48594)","url":"https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48597"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tesla (\u003e= 1.3.0, \u003c 1.18.3)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","elixir","erlang","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["elixir-tesla"],"content_html":"\u003cp\u003eAn unauthenticated attacker can trigger a remote denial-of-service (DoS) condition in applications utilizing the \u003ccode\u003eerlang/tesla\u003c/code\u003e HTTP client library, specifically when configured with \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e. This vulnerability, identified as CVE-2026-48597, affects Tesla versions from 1.3.0 up to 1.18.2. The flaw stems from \u003ccode\u003eTesla.Adapter.Mint.open_conn/2\u003c/code\u003e passing untrusted URL schemes directly to \u003ccode\u003eString.to_atom/1\u003c/code\u003e without validation. As BEAM (Erlang Virtual Machine) atoms are permanent and its atom table has a finite capacity of approximately 1,048,576 entries, repeatedly supplying unique, non-standard URL schemes (e.g., \u003ccode\u003eatk1://\u003c/code\u003e, \u003ccode\u003eatk2://\u003c/code\u003e) causes the VM to continuously mint new atoms. This eventually exhausts the atom table, leading to an immediate crash of the Elixir/Erlang VM and consequently, the affected application. This attack requires no special privileges beyond the ability to send HTTP requests to a vulnerable application endpoint that processes user-supplied URLs or leverages \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using \u003ccode\u003eerlang/tesla\u003c/code\u003e versions 1.3.0 through 1.18.2 with \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e configured, and which exposes an endpoint that processes user-supplied URLs (e.g., a webhook relay, link preview service, or SSRF-style proxy) or includes \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e in its pipeline.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the vulnerable application, including a URL with a novel, non-standard scheme (e.g., \u003ccode\u003eatk1://attacker.com/path\u003c/code\u003e) in a parameter that the application forwards to the Tesla HTTP client.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTesla.Adapter.Mint.open_conn/2\u003c/code\u003e function receives this untrusted URL and extracts the scheme (e.g., \u0026quot;atk1\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe extracted scheme is passed directly to \u003ccode\u003eString.to_atom/1\u003c/code\u003e, which creates and interns a new, permanent atom in the BEAM VM's atom table.\u003c/li\u003e\n\u003cli\u003eAlthough the \u003ccode\u003eMint\u003c/code\u003e library subsequently rejects the connection attempt due to the unrecognized scheme, the newly created atom persists in the VM's global atom table.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-5, sending approximately 1,000,000 requests, each with a distinct and previously unused URL scheme (e.g., \u003ccode\u003eatk2://\u003c/code\u003e, \u003ccode\u003eatk3://\u003c/code\u003e, etc.).\u003c/li\u003e\n\u003cli\u003eUpon reaching the BEAM VM's atom table capacity limit (roughly 1,048,576 entries), the \u003ccode\u003eString.to_atom/1\u003c/code\u003e call fails, leading to a fatal error that crashes the entire Elixir/Erlang VM.\u003c/li\u003e\n\u003cli\u003eThe application hosting the Tesla client becomes unavailable, resulting in a remote denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis high-severity vulnerability (CVSS v4.0: 8.2) allows an unauthenticated attacker to remotely trigger a complete denial of service for any application using \u003ccode\u003eerlang/tesla\u003c/code\u003e versions 1.3.0 through 1.18.2 with the \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e adapter. The attack results in a crash of the underlying BEAM Virtual Machine, making the affected application entirely unavailable. No specific victim count or targeted sectors have been publicly identified, but any Elixir application fitting the criteria that processes untrusted URL input is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch \u003ccode\u003eerlang/tesla\u003c/code\u003e to version 1.18.3 or later immediately to remediate CVE-2026-48597.\u003c/li\u003e\n\u003cli\u003eReview any application features that forward untrusted URLs through \u003ccode\u003eTesla.Adapter.Mint\u003c/code\u003e and implement robust input validation or allow-listing for URL schemes before passing them to the Tesla client.\u003c/li\u003e\n\u003cli\u003eIf \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e is used in conjunction with untrusted inputs, ensure that redirect targets are properly validated and schemes are restricted to \u003ccode\u003ehttp(s)\u003c/code\u003e to prevent exploitation via malicious \u003ccode\u003eLocation\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T00:07:00Z","date_published":"2026-07-10T00:07:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tesla-atom-exhaustion/","summary":"A high-severity denial-of-service vulnerability (CVE-2026-48597) in the `Tesla.Adapter.Mint` component of the Elixir Tesla HTTP client library, affecting versions 1.3.0 through 1.18.2, allows an unauthenticated attacker to crash the underlying BEAM VM by supplying untrusted URL schemes, leading to atom exhaustion.","title":"Tesla HTTP Client Library Vulnerable to Atom Exhaustion Leading to Denial of Service (CVE-2026-48597)","url":"https://feed.craftedsignal.io/briefs/2026-07-tesla-atom-exhaustion/"}],"language":"en","title":"CraftedSignal Threat Feed - Elixir-Tesla","version":"https://jsonfeed.org/version/1.1"}