<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Wed, 15 Jul 2026 09:47:11 +0000</lastBuildDate>
    <item>
      <title>8c244bae-314b-4c1d-ab86-046b856743f4</title>
      <link>https://vulnerability.circl.lu/sighting/8c244bae-314b-4c1d-ab86-046b856743f4/export</link>
      <description>{"uuid": "8c244bae-314b-4c1d-ab86-046b856743f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-mc85-72gr-vm9f", "type": "seen", "source": "https://gist.github.com/alon710/771904cdd1d35750b64c7a038f4ce112", "content": "# CVE-2026-48594: CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client\n\n&amp;gt; **CVSS Score:** 8.2\n&amp;gt; **Published:** 2026-07-10\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48594\n\n## Summary\nAn improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.\n\n## TL;DR\nUnrestricted decompression and recursive codec handling in Tesla's decompression middleware allow remote servers to trigger heap exhaustion and BEAM VM crashes via tiny, highly compressed response payloads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-409\n- **Attack Vector**: Network\n- **CVSS Score**: 8.2 (High)\n- **EPSS Score**: 0.00329 (Percentile: 24.87%)\n- **Impact**: Denial of Service (OOM Crash)\n- **Exploit Status**: Theoretical / Patch Analysis\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Elixir Applications deploying Tesla client pipelines with DecompressResponse or Compression middleware active.\n- **tesla**: &amp;gt;= 0.6.0, &amp;lt; 1.18.3 (Fixed in: `1.18.3`)\n\n## Mitigation\n\n- Upgrade Tesla dependency to 1.18.3 or higher.\n- Enforce mandatory :max_body_size limits in middleware options.\n- Avoid handling decompression of external data with unconstrained endpoints.\n- Deploy network-level HTTP header filtering to drop stacked Content-Encodings.\n\n**Remediation Steps:**\n1. Open your project mix.exs file and locate the :tesla dependency.\n2. Update the version constraint to {:tesla, \"~&amp;gt; 1.18.3\"} or higher.\n3. Run mix deps.get to download and lock the updated version.\n4. Locate modules utilizing Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression.\n5. Append max_body_size:  configuration parameter.\n6. Re-compile and run test suites to ensure integration compatibility.\n\n## References\n\n- [GitHub Advisory GHSA-mc85-72gr-vm9f](https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f)\n- [Official Fix Commit](https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d)\n- [CVE-2026-48594 Record](https://www.cve.org/CVERecord?id=CVE-2026-48594)\n- [NVD CVE-2026-48594 Details](https://nvd.nist.gov/vuln/detail/CVE-2026-48594)\n- [EEF/CNA Advisory Portal](https://cna.erlef.org/cves/CVE-2026-48594.html)\n- [OSV Entry for EEF-CVE-2026-48594](https://osv.dev/vulnerability/EEF-CVE-2026-48594)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48594) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T02:12:08.065396Z"}</description>
      <content:encoded>{"uuid": "8c244bae-314b-4c1d-ab86-046b856743f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-mc85-72gr-vm9f", "type": "seen", "source": "https://gist.github.com/alon710/771904cdd1d35750b64c7a038f4ce112", "content": "# CVE-2026-48594: CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client\n\n&amp;gt; **CVSS Score:** 8.2\n&amp;gt; **Published:** 2026-07-10\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48594\n\n## Summary\nAn improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.\n\n## TL;DR\nUnrestricted decompression and recursive codec handling in Tesla's decompression middleware allow remote servers to trigger heap exhaustion and BEAM VM crashes via tiny, highly compressed response payloads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-409\n- **Attack Vector**: Network\n- **CVSS Score**: 8.2 (High)\n- **EPSS Score**: 0.00329 (Percentile: 24.87%)\n- **Impact**: Denial of Service (OOM Crash)\n- **Exploit Status**: Theoretical / Patch Analysis\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Elixir Applications deploying Tesla client pipelines with DecompressResponse or Compression middleware active.\n- **tesla**: &amp;gt;= 0.6.0, &amp;lt; 1.18.3 (Fixed in: `1.18.3`)\n\n## Mitigation\n\n- Upgrade Tesla dependency to 1.18.3 or higher.\n- Enforce mandatory :max_body_size limits in middleware options.\n- Avoid handling decompression of external data with unconstrained endpoints.\n- Deploy network-level HTTP header filtering to drop stacked Content-Encodings.\n\n**Remediation Steps:**\n1. Open your project mix.exs file and locate the :tesla dependency.\n2. Update the version constraint to {:tesla, \"~&amp;gt; 1.18.3\"} or higher.\n3. Run mix deps.get to download and lock the updated version.\n4. Locate modules utilizing Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression.\n5. Append max_body_size:  configuration parameter.\n6. Re-compile and run test suites to ensure integration compatibility.\n\n## References\n\n- [GitHub Advisory GHSA-mc85-72gr-vm9f](https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f)\n- [Official Fix Commit](https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d)\n- [CVE-2026-48594 Record](https://www.cve.org/CVERecord?id=CVE-2026-48594)\n- [NVD CVE-2026-48594 Details](https://nvd.nist.gov/vuln/detail/CVE-2026-48594)\n- [EEF/CNA Advisory Portal](https://cna.erlef.org/cves/CVE-2026-48594.html)\n- [OSV Entry for EEF-CVE-2026-48594](https://osv.dev/vulnerability/EEF-CVE-2026-48594)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48594) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T02:12:08.065396Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/8c244bae-314b-4c1d-ab86-046b856743f4/export</guid>
      <pubDate>Fri, 10 Jul 2026 02:12:08 +0000</pubDate>
    </item>
  </channel>
</rss>
