<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elixir-Tesla - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/elixir-tesla/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 00:08:28 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/elixir-tesla/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tesla Elixir Client Decompression Bomb (CVE-2026-48594)</title><link>https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/</link><pubDate>Fri, 10 Jul 2026 00:08:28 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tesla-decompression-bomb/</guid><description>A critical vulnerability, CVE-2026-48594, in the Tesla Elixir HTTP client library allows an attacker to cause a denial of service by serving a specially crafted HTTP response with multiple `content-encoding` headers that, when processed by vulnerable versions (0.6.0 through 1.18.2) of the client using `Tesla.Middleware.DecompressResponse` or `Tesla.Middleware.Compression`, leads to exponential memory expansion and application crashes.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, tracked as CVE-2026-48594, exists in the Tesla Elixir HTTP client library, specifically affecting versions 0.6.0 through 1.18.2. This flaw, dubbed a &quot;decompression bomb,&quot; can be exploited by an attacker who controls a server that a vulnerable Tesla client contacts, or via a redirect. The vulnerability arises when the <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code> middleware component eagerly decompresses HTTP response bodies without any size limits. An attacker can craft a minuscule gzip-encoded payload coupled with multiple <code>content-encoding</code> headers (e.g., <code>gzip, gzip, gzip, gzip</code>), which, upon recursive decompression, expands exponentially into gigabytes of data on the BEAM heap. This excessive memory consumption inevitably leads to the client application crashing or freezing, effectively causing a denial of service. Defenders must ensure that applications utilizing the affected <code>tesla</code> library are patched to version 1.18.3 or later to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains control of a server or compromises a legitimate server that a victim's Tesla client application is likely to contact.</li>
<li>The attacker configures the server to serve a specially crafted HTTP response.</li>
<li>The crafted response includes a tiny gzip-compressed payload that is designed to expand significantly upon decompression.</li>
<li>Crucially, the response features multiple <code>content-encoding</code> headers, such as <code>gzip, gzip, gzip, gzip</code>, to trigger recursive decompression.</li>
<li>A legitimate application, running an affected <code>tesla</code> library version (0.6.0 to 1.18.2) and configured with <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code>, makes an HTTP request to the attacker-controlled server.</li>
<li>The <code>tesla</code> client receives the malicious HTTP response from the attacker's server.</li>
<li>The <code>decompress_body/2</code> function within the <code>tesla</code> middleware attempts to decompress the response recursively for each <code>content-encoding</code> token, without any output size validation.</li>
<li>This process exponentially inflates the small payload into gigabytes of data within the BEAM heap, exhausting the application's memory resources and causing it to crash or freeze, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-48594 is a denial of service (DoS) for any application utilizing the affected <code>tesla</code> client library (versions 0.6.0 through 1.18.2) with the <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code> middleware. The attacker's objective is to render the targeted application unusable by forcing it to consume all available memory. A successful attack can lead to application downtime, data processing failures, and disruption of critical services, potentially affecting any sector relying on Elixir applications performing HTTP requests with the vulnerable middleware. This vulnerability carries a high severity CVSS v4.0 score of 8.2.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-48594</strong> by upgrading the <code>erlang/tesla</code> package to version 1.18.3 or later immediately.</li>
<li>Review applications for the inclusion of <code>Tesla.Middleware.DecompressResponse</code> or <code>Tesla.Middleware.Compression</code> in their Tesla middleware pipeline. If present, ensure they are running patched versions.</li>
<li>Implement application-level monitoring for abnormal and sudden increases in memory consumption by Elixir applications, especially those making outbound HTTP requests, to detect potential exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>resource-exhaustion</category><category>denial-of-service</category><category>library-vulnerability</category><category>elixir</category></item><item><title>Tesla HTTP Client Library Vulnerable to Atom Exhaustion Leading to Denial of Service (CVE-2026-48597)</title><link>https://feed.craftedsignal.io/briefs/2026-07-tesla-atom-exhaustion/</link><pubDate>Fri, 10 Jul 2026 00:07:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tesla-atom-exhaustion/</guid><description>A high-severity denial-of-service vulnerability (CVE-2026-48597) in the `Tesla.Adapter.Mint` component of the Elixir Tesla HTTP client library, affecting versions 1.3.0 through 1.18.2, allows an unauthenticated attacker to crash the underlying BEAM VM by supplying untrusted URL schemes, leading to atom exhaustion.</description><content:encoded><![CDATA[<p>An unauthenticated attacker can trigger a remote denial-of-service (DoS) condition in applications utilizing the <code>erlang/tesla</code> HTTP client library, specifically when configured with <code>Tesla.Adapter.Mint</code>. This vulnerability, identified as CVE-2026-48597, affects Tesla versions from 1.3.0 up to 1.18.2. The flaw stems from <code>Tesla.Adapter.Mint.open_conn/2</code> passing untrusted URL schemes directly to <code>String.to_atom/1</code> without validation. As BEAM (Erlang Virtual Machine) atoms are permanent and its atom table has a finite capacity of approximately 1,048,576 entries, repeatedly supplying unique, non-standard URL schemes (e.g., <code>atk1://</code>, <code>atk2://</code>) causes the VM to continuously mint new atoms. This eventually exhausts the atom table, leading to an immediate crash of the Elixir/Erlang VM and consequently, the affected application. This attack requires no special privileges beyond the ability to send HTTP requests to a vulnerable application endpoint that processes user-supplied URLs or leverages <code>Tesla.Middleware.FollowRedirects</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an application using <code>erlang/tesla</code> versions 1.3.0 through 1.18.2 with <code>Tesla.Adapter.Mint</code> configured, and which exposes an endpoint that processes user-supplied URLs (e.g., a webhook relay, link preview service, or SSRF-style proxy) or includes <code>Tesla.Middleware.FollowRedirects</code> in its pipeline.</li>
<li>The attacker sends an HTTP request to the vulnerable application, including a URL with a novel, non-standard scheme (e.g., <code>atk1://attacker.com/path</code>) in a parameter that the application forwards to the Tesla HTTP client.</li>
<li>The <code>Tesla.Adapter.Mint.open_conn/2</code> function receives this untrusted URL and extracts the scheme (e.g., &quot;atk1&quot;).</li>
<li>The extracted scheme is passed directly to <code>String.to_atom/1</code>, which creates and interns a new, permanent atom in the BEAM VM's atom table.</li>
<li>Although the <code>Mint</code> library subsequently rejects the connection attempt due to the unrecognized scheme, the newly created atom persists in the VM's global atom table.</li>
<li>The attacker repeats steps 2-5, sending approximately 1,000,000 requests, each with a distinct and previously unused URL scheme (e.g., <code>atk2://</code>, <code>atk3://</code>, etc.).</li>
<li>Upon reaching the BEAM VM's atom table capacity limit (roughly 1,048,576 entries), the <code>String.to_atom/1</code> call fails, leading to a fatal error that crashes the entire Elixir/Erlang VM.</li>
<li>The application hosting the Tesla client becomes unavailable, resulting in a remote denial-of-service condition.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This high-severity vulnerability (CVSS v4.0: 8.2) allows an unauthenticated attacker to remotely trigger a complete denial of service for any application using <code>erlang/tesla</code> versions 1.3.0 through 1.18.2 with the <code>Tesla.Adapter.Mint</code> adapter. The attack results in a crash of the underlying BEAM Virtual Machine, making the affected application entirely unavailable. No specific victim count or targeted sectors have been publicly identified, but any Elixir application fitting the criteria that processes untrusted URL input is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch <code>erlang/tesla</code> to version 1.18.3 or later immediately to remediate CVE-2026-48597.</li>
<li>Review any application features that forward untrusted URLs through <code>Tesla.Adapter.Mint</code> and implement robust input validation or allow-listing for URL schemes before passing them to the Tesla client.</li>
<li>If <code>Tesla.Middleware.FollowRedirects</code> is used in conjunction with untrusted inputs, ensure that redirect targets are properly validated and schemes are restricted to <code>http(s)</code> to prevent exploitation via malicious <code>Location</code> headers.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>elixir</category><category>erlang</category><category>vulnerability</category><category>web-application</category></item></channel></rss>