Wojtek Mach

**Name of the Vulnerable Software and Affected Versions** wojtekmach Req versions 0.1.0 through 0.6.0 **Description** Improper handling of highly compressed data allows attacker-controlled HTTP servers to exhaust memory in a client via decompression-bomb response bodies. The default response pipeline includes the functions `decode body()` and `decompress body()`. The `decode body()` function processes the server-supplied content-type and calls `:zip.extract(body, [:memory])` for application/zip, `:erl tar.extract({:binary, body}, [:memory])` for application/x-tar, and `:erl tar.extract({:binary, body}, [:memory, :compressed])` for application/gzip or .tgz. These operations return the full decompressed archive contents in memory without a total size cap. Additionally, `decompress body()` chains `:zlib`, `:brotli`, and `:ezstd` decoders based on the content-encoding header, allowing responses to inflate through multiple layers without bound. Since these steps are enabled by default, a small response can expand to multiple gigabytes, crashing the BEAM process. **Recommendations** Update to version 0.6.1. As a temporary workaround, disable automatic body decoding by passing `decode body: false` to `Req.new()` or `Req.get!()` for requests fetching attacker-influenced URLs. To skip the content-encoding decompression pipeline, pass `raw: true` to ensure the response body remains as raw bytes for size-checking before decompression.

**Name of the Vulnerable Software and Affected Versions** wojtekmach Req versions 0.5.3 through 0.5.9 **Description** Improper Neutralization of CRLF Sequences, also known as CRLF Injection, allows multipart parameter smuggling through attacker-influenced part metadata. The function `encode form part/2` in `lib/req/utils.ex` constructs per-part headers by interpolating the `name`, `filename`, and `content type` values directly into the content-disposition and content-type lines without escaping or stripping Carriage Return (CR) and Line Feed (LF) characters. A value containing quotes, `r`, or ` ` can close the quoted value and start a new header line. Furthermore, adding `r --<boundary>` can terminate the current part and prepend a smuggled part. This is especially accessible when the value is a `%File.Stream{}`, as the `filename` defaults to `Path.basename(stream.path)`, and POSIX filenames may contain `r` and ` `. Applications forwarding user-controlled filenames, field names, or MIME types through `Req.post/2` with `form multipart:` enable attackers to inject arbitrary headers or smuggle additional fields and parts into requests sent to downstream services. **Recommendations** Update to version 0.6.0. Sanitize attacker-influenced `name`, `filename`, and `content type` values before passing them to `Req.post/2` with `form multipart:` by rejecting or stripping any value containing `r`, ` `, or quotes. When forwarding uploads, derive the `filename` from a normalized string instead of using `Path.basename/1` on a user-controlled path.

**Name of the Vulnerable Software and Affected Versions** ericmj decimal versions 0.1.0 through 2.x **Description** Uncontrolled Resource Consumption allows unauthenticated remote Denial of Service. The library does not bound the exponent on parsed input, meaning a decimal with an excessively large exponent can be stored without error. Subsequent calls to functions such as `Decimal.add/2`, `Decimal.sub/2`, `Decimal.div/2`, `Decimal.to integer/1`, `Decimal.round/3`, `Decimal.compare/3` with a threshold, or `Decimal.to string/2` using :normal or :xsd formats allocate memory proportional to the exponent value. This can exhaust available memory and crash the BEAM VM (the Erlang Virtual Machine). Any application accepting user-supplied decimal input for arithmetic, rounding, integer conversion, or string formatting is exposed, as a single malicious request can cause an out-of-memory crash. **Recommendations** Update to version 3.0.0 or later.