elixir-grpc CVE-2026-48854
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable gRPC port (AV:N), single straightforward request (AC:L), no auth or interaction (PR:N/UI:N), and only availability is impacted (A:H, C:N, I:N).
Primary rating from Vendor (EEF).
CVSS VectorVendor: EEF
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body.
'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.
This issue affects grpc from 0.3.1 before 1.0.0.
AnalysisAI
Unauthenticated denial of service in the elixir-grpc library (versions 0.3.1 up to but not including 1.0.0) allows a single remote attacker to crash an Erlang/BEAM node by streaming an oversized or slow-trickle unary gRPC request body. The Cowboy handler's read_full_body/3 accumulates every chunk into one unbounded binary, and when no grpc-timeout header is sent the per-chunk read timeout collapses to :infinity, so memory grows without bound until the VM dies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires only network reachability to an elixir-grpc server (versions 0.3.1 through 0.x) running the Cowboy adapter, which is the default; no authentication, no user interaction, and no non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals align coherently on a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens a single HTTP/2 connection to any exposed elixir-grpc endpoint, issues a unary RPC without a grpc-timeout header, and either streams a very large request body or trickles bytes a few at a time over many minutes. The handler appends every chunk to one growing binary while the read timeout sits at :infinity, so RAM usage climbs until the BEAM VM is OOM-killed and the entire Erlang node - along with every other service it hosts - goes down. |
| Remediation | Upstream fix available (commit 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00); upgrade elixir-grpc/grpc to 1.0.0 or later, which introduces a default 4 MB max_body_size matching gRPC-Go and stops overriding Cowboy's 15-second per-chunk read timeout with :infinity. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems running elixir-grpc with current version documentation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today