CVE-2026-39804

EPSS 0.63%
Veröffentlicht 01.05.2026 20:34:24
Zuletzt bearbeitet 05.05.2026 19:37:28
Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
CVE-Watchlists
Login
Unerledigt
Login

WebSocket permessage-deflate inflate has no output-size cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.

'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.

An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill.

This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.

This issue affects bandit: from 0.5.9 before 1.11.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellermtrudel

≫

Produkt bandit

Default Statusunaffected

Version 0.5.9

Version < 1.11.0

Status affected

Herstellermtrudel

≫

Produkt bandit

Default Statusunaffected

Version da4027cff7d2b80319e76fe7a32f84beceec490a

Version < 8156921a51e684a951221da7bc30a70a022f722e

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.63%	0.452

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j

https://cna.erlef.org/cves/CVE-2026-39804.html

https://osv.dev/vulnerability/EEF-CVE-2026-39804

https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e

https://nvd.nist.gov/vuln/detail/CVE-2026-39804

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39804

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39804

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39804