Improper Handling of Compressed Data in Tesla by Elixir
CVE-2026-48594

8.2HIGH

Key Information:

Vendor: Elixir-tesla
Status: Tesla
Vendor: CVE Published:; 2 June 2026

🔔 Create Elixir-tesla Vulnerability Alert

What is CVE-2026-48594?

The vulnerability in the Tesla component of Elixir involves improper handling of highly compressed data, leading to denial of service. When the response bodies are processed in the middleware, the system decompresses them eagerly without enforcing size limits. This results in potential recursive decompression on content-encoding headers, allowing a small payload to expand exponentially and consume extensive memory resources. Thus, a server can advertise multiple layers of gzip compression causing significant memory exhaustion and crashing or freezing the process.

Affected Version(s)

tesla 0.6.0 < 1.18.3

tesla 5bd90bb5cf0d15e375edc2a66fa322292940fce2 < 340f75b5d191dc747ef7ac6365bd002d1cd55a9d

References

https://github.com/elixir-tesla/tesla/security/advisories...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48594.html

https://osv.dev/vulnerability/EEF-CVE-2026-48594

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 22, 2026

Credit

Peter Ullrich

Yordis Prieto

Jonatan Männchen

CVE-2026-48594 Data

JSON