Threat Advisory

Tesla Vulnerabilities Cause Authorization Token Leakage

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Three vulnerabilities have been identified in the erlang/tesla library. These issues include allocation of resources without limits leading to denial of service, improper handling of case sensitivity resulting in credential leakage, and improper handling of highly compressed data causing decompression bombs. If exploited, these vulnerabilities could allow attackers to crash the application VM or exfiltrate sensitive authorization tokens, leading to significant service disruption and potential data breaches. Organizations relying on this library for HTTP client operations face substantial risks to availability and confidentiality if their applications process untrusted URLs or handle redirects.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Three vulnerabilities have been identified in the erlang/tesla library. These issues include allocation of resources without limits leading to denial of service, improper handling of case sensitivity resulting in credential leakage, and improper handling of highly compressed data causing decompression bombs. If exploited, these vulnerabilities could allow attackers to crash the application VM or exfiltrate sensitive authorization tokens, leading to significant service disruption and potential data breaches. Organizations relying on this library for HTTP client operations face substantial risks to availability and confidentiality if their applications process untrusted URLs or handle redirects.[emaillocker id="1283"]

CVE-2026-48597 with a CVSS score of 8.2 : This vulnerability allows denial of service via atom table exhaustion when Tesla.Adapter.Mint converts untrusted URL schemes to atoms without validation.

CVE-2026-48595 with a CVSS score of 8.2 : This flaw causes credential leakage on cross-origin redirects because Tesla.Middleware.FollowRedirects uses case-sensitive filtering for the Authorization header.

CVE-2026-48594 with a CVSS score of 8.2 : A decompression bomb vulnerability in the Tesla HTTP client allows attackers to trigger excessive memory consumption by sending highly compressed HTTP responses, potentially causing application crashes or denial-of-service conditions.

 

RECOMMENDATION:

  • We recommend you to update tesla to version 1.20.0 or later.

 

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-h74c-q9j7-mpcm
https://github.com/advisories/GHSA-9m9w-gxf7-rh8m
https://github.com/advisories/GHSA-mc85-72gr-vm9f

[/emaillocker]
crossmenu