CVE-2026-49755

Name of the Vulnerable Software and Affected Versions wojtekmach Req versions 0.1.0 through 0.6.0

Description Improper handling of highly compressed data allows attacker-controlled HTTP servers to exhaust memory in a client via decompression-bomb response bodies. The default response pipeline includes the functions decode body() and decompress body(). The decode body() function processes the server-supplied content-type and calls :zip.extract(body, [:memory]) for application/zip, :erl tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip or .tgz. These operations return the full decompressed archive contents in memory without a total size cap. Additionally, decompress body() chains :zlib, :brotli, and :ezstd decoders based on the content-encoding header, allowing responses to inflate through multiple layers without bound. Since these steps are enabled by default, a small response can expand to multiple gigabytes, crashing the BEAM process.

Recommendations Update to version 0.6.1. As a temporary workaround, disable automatic body decoding by passing decode body: false to Req.new() or Req.get!() for requests fetching attacker-influenced URLs. To skip the content-encoding decompression pipeline, pass raw: true to ensure the response body remains as raw bytes for size-checking before decompression.