EEF-CVE-2026-49755

## Summary

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies.

Req's default response pipeline includes Req.Steps.decode\_body/1 and Req.Steps.decompress\_body/1 in lib/req/steps.ex. decode\_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, \[:memory\]) for application/zip, :erl\_tar.extract({:binary, body}, \[:memory\]) for application/x-tar, and :erl\_tar.extract({:binary, body}, \[:memory, :compressed\]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a \[{name, bytes}\] list in memory, with no per-entry or total size cap. decompress\_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound.

Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process.

This issue affects req: from 0.1.0 before 0.6.1.

## Workaround

Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing decode\_body: false to Req.new/1 / Req.get!/1. To also skip the content-encoding decompression pipeline, pass raw: true. Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.