CVE-2026-49755 wojtekmach CVE debrief

Who should care

Users of the Req library, particularly those who handle HTTP requests and responses, should be aware of this vulnerability. This includes developers and administrators who use Req in their applications, as well as security teams who monitor for potential vulnerabilities.

Technical summary

The vulnerability is caused by the improper handling of highly compressed data in Req's default response pipeline. Specifically, the `decode_body/1` and `decompress_body/1` steps in `lib/req/steps.ex` can lead to a significant increase in memory usage when dealing with compressed response bodies. The `decode_body/1` function dispatches on the server-supplied content-type and calls various extraction functions, such as `:zip.extract/2`, `:erl_tar.extract/2`, and `:erl_tar.extract/2` with `:compressed` option, which return the full decompressed archive contents as a list of tuples in memory. The `decompress_body/1` function walks the content-encoding header and chains decoders, which can lead to multiple layers of decompression without bound.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to Req version 0.6.1 or later.
• Disable the `decode_body/1` and `decompress_body/1` steps in the response pipeline if not required.
• Implement additional validation and sanitization of response bodies to prevent decompression bombs.

Evidence notes

The CVE-2026-49755 vulnerability was reported by an unknown vendor and has a CVSS score of 8.2. The vulnerability affects Req versions from 0.1.0 to 0.6.0.

Official resources