CVE-2026-49755: Req Insecure Compressed Default

Defaulting `:compressed` to `true` in `Req.Request.get_option` allows automatic decompression, exposing the application to decompression bomb attacks (DoS). Change the default to `false`.

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0

Elixir^β

greprules fetch cve-2026-49755-req-insecure-compressed-default --engine opengrep

Description

Defaulting `:compressed` to `true` in `Req.Request.get_option` allows automatic decompression, exposing the application to decompression bomb attacks (DoS). Change the default to `false`.

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Quality signals: 131 downloads
0 direct131 via packs
· 0 stars · Quality score 61How quality works
Included packs: 1 pack

Community feedback

0 signals from signed-in users.

Useful: 0
False positive: 0
Metadata: 0