EEF-CVE-2026-49755 漏洞概述 漏洞类型: Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies 漏洞描述: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via compression-bomb response bodies. CVSS评分: 9.2 (High) 影响范围 受影响版本: req: from 0.10 before 0.6.1 影响机制: - Req's default response pipeline includes and in . - Dispatches on the server-supplied content-type (or URL extension) and calls for , for , and for . - Each returns the full decompressed archive contents as a list in memory, with no per-entry or total size cap. - Decompresses walks the content-encoding header and chains / / decoders, so a response advertising content-encoding: inflates through multiple layers without bounds. - Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or for any host reached via Req's automatic redirect following). - A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. 修复方案 Workaround: - Disable Req's automatic body decoding on requests that fetch attacker-influenced URLs by passing to / . - To also skip the content-encoding decompression pipeline, pass . Both options leave the response body as the raw on-the-wire bytes, so the caller can size-check before any decompression.