AIKIDO-2026-233642

req is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-49755 Published Today

High Risk

This Affects:

req

0.0.1 - 0.6.0

Fixed in 0.6.1

Are you affected? Scan for Free

TL;DR

req is vulnerable to a denial-of-service condition caused by improper handling of highly compressed data. The default response processing pipeline automatically decompresses and extracts archive formats such as ZIP, TAR, and GZIP entirely in memory without enforcing limits on decompressed size or archive contents. An attacker controlling an HTTP server can return a specially crafted compression bomb or layered compressed response that expands to an extremely large size during processing. This can lead to excessive memory consumption and potentially crash the BEAM process, resulting in a denial of service.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

req is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 0.6.0.

How to fix this

Upgrade the req library to the patch version or disable req's automatic response decoding when fetching attacker-controlled URLs by setting decode_body: false. To also disable content-encoding decompression, use raw: true. These options preserve the response body in its original form, allowing applications to validate size and content before performing any decompression.