CVE-2026-39804
Published: May 1st, 2026
Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled.
'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs.
An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill.
This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false.
This issue affects bandit: from 0.5.9 before 1.11.0.
Unknown
CVSS v2:
CVSS v2:
Status
| DocFilters Release | Package | State | Justification | Comment |
|---|---|---|---|---|
| 26.2 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 26.1 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 25.4 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 25.3 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 25.2 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 25.1 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 24.4 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 24.4.0 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 24.3 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 24.2 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 24.1 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 23.3 | zlib (1.3) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 23.2 | zlib (1.2.12) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 23.1 | zlib (1.2.12) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 22.4 | zlib (1.2.12) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 22.3 | zlib (1.2.12) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 22.2 | zlib (1.2.12) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 22.1 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 21.11 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 21.8 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 21.5.0 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 21.2.0 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.19.3667 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.18.3599 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.16.3445 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.15.3368 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.14.3263 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.13.3179 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.12.3054 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.11.3040 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.11.2990 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.10.2934 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.9.2878 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |
| 11.4.8.2822 | zlib (1.2.11) | False Positive | Code Not Present | CVE-2026-39804 is a vulnerability in Bandit (mtrudel/bandit), an Elixir HTTP server, not in the zlib C library. The flaw is unbounded decompression in Bandit’s WebSocket permessage-deflate handler (Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2), which calls Erlang’s :zlib.inflate/2 without output-size limits. The ‘zlib’ association exists only because Bandit uses Erlang’s zlib NIF internally, but the vulnerability is entirely in Bandit’s application-level code. Document Filters does not use Elixir, Erlang/OTP, Bandit, or any WebSocket server. Document Filters uses the C zlib library version 1.3 directly from madler/zlib for compression/decompression with proper bounded buffers. |