CVE-2026-39804

Name of the Vulnerable Software and Affected Versions bandit versions 0.5.9 through 1.10.x

Description An unauthenticated remote attacker can cause a denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. The issue occurs because the inflate/2 function in Elixir.Bandit.WebSocket.PerMessageDeflate calls :zlib.inflate/2 without an output-size cap and materializes the decompressed payload as a single binary using IO.iodata to binary/1. While websocket options.max frame size limits the compressed frame size, it does not limit the decompressed output. Consequently, a high-ratio compressed frame can force GiB-scale heap allocations, exhausting the BEAM node's memory and triggering an Out-Of-Memory (OOM) kill. This requires both the server-level websocket options.compress and the per-upgrade compress: true option in WebSockAdapter.upgrade/4 to be enabled.

Recommendations Update to version 1.11.0 or later. As a temporary workaround, do not pass compress: true to WebSockAdapter.upgrade/4 or set it to false to prevent permessage-deflate negotiation.