CVE-2026-39804— WebSocket permessage-deflate inflate has no output-size cap in bandit

WebSocket permessage-deflate inflate has no output-size cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0.

N/A

不加限制或调节的资源分配

Bandit 安全漏洞

Bandit是Mat Trudel个人开发者的一款高性能HTTP与WebSocket服务器。 Bandit 0.5.9版本至1.11.0之前版本存在安全漏洞，该漏洞源于WebSocket permessage-deflate压缩启用时未限制资源分配，可能导致未经身份验证的远程攻击者通过内存耗尽实现拒绝服务攻击。

N/A

N/A