Threat Advisory

Bandit Vulnerability Triggers High CPU Usage And Downtime

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-39804 with a CVSS score of 8.2 is an Allocation of Resources Without Limits or Throttling vulnerability in the Erlang Bandit package. When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compression, an unauthenticated client can trigger a denial of service via memory exhaustion by sending a single WebSocket frame that decompresses unbounded into the connection process's heap. This is achieved by calling :zlib.inflate/2 without an output-size limit, which materializes the entire decompressed payload as a single binary in the connection process's heap. An attacker requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled to exploit this vulnerability, which allows them to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability can have significant business impact and consequences if exploited, including denial of service, loss of productivity, and potential financial losses.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-39804 with a CVSS score of 8.2 is an Allocation of Resources Without Limits or Throttling vulnerability in the Erlang Bandit package. When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compression, an unauthenticated client can trigger a denial of service via memory exhaustion by sending a single WebSocket frame that decompresses unbounded into the connection process's heap. This is achieved by calling :zlib.inflate/2 without an output-size limit, which materializes the entire decompressed payload as a single binary in the connection process's heap. An attacker requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled to exploit this vulnerability, which allows them to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability can have significant business impact and consequences if exploited, including denial of service, loss of productivity, and potential financial losses.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update bandit to version 1.11.0 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-frh3-6pv6-rc8j

[/emaillocker]
crossmenu