CVE-2026-53659: Unbounded gzip decompression allowed memory-exhaustion DoS
Severity: HIGH
June 16, 2026
Description#
ServerFilters.GZip and RequestFilters.GunZip (and the underlying gzip functions used to decompress request bodies) did not impose any cap on the decompressed size. A small malicious gzip-encoded request body (on the order of kilobytes) could decompress to gigabytes, exhausting the JVM heap and denying service to other clients.
Any http4k server that accepts gzip-encoded requests via ServerFilters.GZip or RequestFilters.GunZip is affected. The vulnerability is exploitable by any unauthenticated client. It was introduced on 2017-08-01 (commit 2618fe08f9) and was present for ~9 years.
The fix caps decompression at 10MB by default; oversized requests through ServerFilters.GZip / RequestFilters.GunZip now return 413 Request Entity Too Large, and decompressing elsewhere throws SizeLimitExceededException. The keyed hmacSHA256 helper and other safe paths are unaffected.
Affected http4k modules & versions#
http4k-core- 6.48.0.0 and below
- 5.41.0.0 and below
- 4.50.0.0 and below
Mitigation#
Users of affected versions should upgrade to the corresponding fixed version as below. http4k EE subscribers can access the fixed LTS versions through the dedicated http4k Maven instance. For more details about the http4k EE LTS versions, please contact http4k enterprise support.
| Version | Fixed Version | Availability |
|---|---|---|
| <= 6.48.0.0 | 6.49.0.0 | Community & Enterprise Support |
| <= 5.41.0.0 | 5.42.0.0 | Enterprise Support Only |
| <= 4.50.0.0 | 4.51.0.0 | Enterprise Support Only |
Older, unsupported versions are also affected.
For deployments that cannot upgrade immediately, mitigate by either replacing the GZip / GunZip filters with custom versions that wrap the decompressed InputStream in a size-limited reader, or stripping gzip-encoded request support at the edge (CDN, reverse proxy, or load balancer).
Resolution timeline#
| Date/time | Notes |
|---|---|
| 01/08/2017 | Vulnerability introduced (commit 2618fe08f9) |
| 28/05/2026 | Discovered during the Claude-assisted security review pass |
| 30/05/2026 | Fix released in http4k CE v6.49.0.0 and http4k EE LTS v5.42.0.0 / v4.51.0.0 |
| 01/06/2026 | Advisory GHSA-g4w2-6h2r-3m3w opened on GitHub by @daviddenton |
| 01/06/2026 | CVE requested from GitHub |
| 10/06/2026 | CVE re-requested from GitHub |
| 10/06/2026 | CVE-2026-53659 assigned by GitHub |
| 16/06/2026 | Public disclosure |
References
- Full GitHub Advisory: https://github.com/http4k/http4k/security/advisories/GHSA-g4w2-6h2r-3m3w
- NIST CVE Registry: https://nvd.nist.gov/vuln/detail/CVE-2026-53659
