{“lastseen”:””,”description”:”Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.\\n\\n’Elixir.Bandit.WebSocket.PerMessageDeflate’:inflate\/2 in lib\/bandit\/websocket\/permessage_deflate.ex calls :zlib.inflate\/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary\/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.\\n\\nAn unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node’s memory and trigger an OOM kill.\\n\\nThis vulnerability requires both Bandit’s server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade\/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.\\n\\nThis issue affects bandit: from 0.5.9 before 1.11.0.”,”published”:”2026-05-01T20:34:24.604Z”,”modified”:”2026-05-01T20:34:24.604Z”,”type”:”cve”,”title”:”WebSocket permessage-deflate inflate has no output-size cap in bandit”,”source”:”EEF”,”references”:”https:\/\/github.com\/mtrudel\/bandit\/security\/advisories\/GHSA-frh3-6pv6-rc8j\\nhttps:\/\/cna.erlef.org\/cves\/CVE-2026-39804.html\\nhttps:\/\/osv.dev\/vulnerability\/EEF-CVE-2026-39804\\nhttps:\/\/github.com\/mtrudel\/bandit\/commit\/8156921a51e684a951221da7bc30a70a022f722e”,”id”:”CVE-2026-39804″,”bulletinFamily”:””,”cwe”:[“CWE-770″],”cvelist”:null,”sourceData”:”mtrudel bandit 0.5.9\\nmtrudel bandit da4027cff7d2b80319e76fe7a32f84beceec490a”,”sourceHref”:””,”cvss”:{“score”:8.2,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:N\/VI:N\/VA:H\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”bandit”,”version”:”0.5.9″,”vendor”:”mtrudel”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,77,12,15,13,7,11,5],"class_list":["post-50814","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-82","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n