Skip to main content

elixir-grpc CVE-2026-48853

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-15 EEF
Deserialization RCE Grpc
9.2
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated, but the server must register the erlpack codec and RCE requires a downstream apply site, justifying AC:H; full C/I/A impact on the BEAM node.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 22:51 vuln.today
Analysis Generated
Jun 15, 2026 - 22:51 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.

'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.

This issue affects grpc from 0.4.0 before 1.0.0.

AnalysisAI

Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Elixir gRPC endpoint
Delivery
Send request with Content-Type application/grpc+erlpack
Exploit
Trigger unsafe binary_to_term in Erlpack.decode/2
Execution
Inject crafted atoms or fun term
Persist
Exhaust atom table or apply attacker fun
Impact
Crash BEAM node or execute code as server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target Elixir/Erlang gRPC server must have the GRPC.Codec.Erlpack codec registered so it accepts requests with Content-Type: application/grpc+erlpack - this is the AT:P attack requirement reflected in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 9.2 reflects network attack vector, low complexity, no privileges, and high VC/VI/VA impact - but AT:P (Attack Requirements: Present) signals that the target must accept the erlpack content type, which is a real deployment-dependent gate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers an internet-exposed Elixir gRPC service and sends a single HTTP/2 request with Content-Type: application/grpc+erlpack carrying an Erlang External Term Format payload that encodes thousands of unique novel atoms, exhausting the BEAM atom table and crashing the node (DoS). For RCE, the attacker instead encodes a fun term that, when the application later applies the decoded value, executes shell commands as the gRPC server user. …
Remediation Vendor-released patch: upgrade the elixir-grpc grpc Hex dependency to 1.0.0 or later, which contains the fix landed in commit 272a97a5ea1b46af1819f14a831fcf35fc91f992 (see https://github.com/elixir-grpc/grpc/commit/272a97a5ea1b46af1819f14a831fcf35fc91f992 and the advisory at https://github.com/elixir-grpc/grpc/security/advisories/GHSA-grp7-v8xh-rj7h). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory systems running elixir-grpc 0.4.0-1.0.0 and restrict external gRPC endpoint access if possible; review logs for application/grpc+erlpack requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48853 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy