Skip to main content

elixir-grpc CVE-2026-53430

HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-06-15 EEF
Denial Of Service Grpc
8.7
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Single unauthenticated network frame with gzip header triggers OOM on the BEAM node, so AV:N/AC:L/PR:N/UI:N and availability-only impact A:H with C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 22:50 vuln.today
Analysis Generated
Jun 15, 2026 - 22:50 vuln.today

DescriptionCVE.org

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.

This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2.

'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.

This issue affects grpc: from 0.4.0 before 1.0.0.

AnalysisAI

Denial of service in the elixir-grpc library (versions 0.4.0 through 0.x) allows unauthenticated remote attackers to crash BEAM nodes via a gzip decompression bomb. The GRPC.Compressor.Gzip module calls :zlib.gunzip/1 directly on attacker-controlled bytes without size limits, ratio checks, or incremental decoding, so a single small frame carrying the grpc-encoding: gzip header expands to multi-gigabyte allocations and triggers OOM kills. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Elixir gRPC endpoint
Delivery
Craft tiny gzip bomb of zeros
Exploit
Open HTTP/2 stream with grpc-encoding: gzip
Execution
Send single compressed frame
Persist
Trigger unbounded :zlib.gunzip allocation
Impact
BEAM node OOM-killed, service unavailable
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target must run elixir-grpc grpc 0.4.0 through pre-1.0.0 with the default gzip compressor registered (this is the out-of-box configuration - no special enablement needed) and must accept gRPC traffic from the attacker's network position. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (score 8.7 High) accurately reflects an unauthenticated, network-reachable, single-packet DoS with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches any internet-exposed Elixir gRPC endpoint, opens an HTTP/2 stream, sets the grpc-encoding: gzip header, and sends a single message frame containing a few kilobytes of zeros pre-compressed with gzip. The receiving BEAM node calls :zlib.gunzip/1, allocates multiple gigabytes on the heap in one shot, and is OOM-killed before max_receive_message_length is ever consulted; repeating the request keeps the service unavailable. …
Remediation Vendor-released patch: upgrade elixir-grpc grpc to version 1.0.0 or later, which rewrites GRPC.Compressor.Gzip.decompress/1 to use :zlib.inflateInit with windowBits 31 and feeds the compressed input in 8 KB slices, aborting with GRPC.RPCError status :resource_exhausted as soon as the decompressed accumulator exceeds the limit (default 4 MB, matching gRPC-Go); the limit is tunable via Application.put_env(:grpc, :max_decompressed_message_length, bytes). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all services and internal systems running elixir-grpc versions 0.4.0-0.x; assess exposure to untrusted network traffic. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53430 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy