Grpc
Monthly
Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.
Denial of service in the elixir-grpc library (versions 0.4.0 through 0.x) allows unauthenticated remote attackers to crash BEAM nodes via a gzip decompression bomb. The GRPC.Compressor.Gzip module calls :zlib.gunzip/1 directly on attacker-controlled bytes without size limits, ratio checks, or incremental decoding, so a single small frame carrying the grpc-encoding: gzip header expands to multi-gigabyte allocations and triggers OOM kills. No public exploit identified at time of analysis, but a vendor patch is available in version 1.0.0.
Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers to override path-bound URL parameters via query string or request body values, defeating ownership and multi-tenancy checks. The flaw stems from incorrect Map.merge/2 precedence in GRPC.Server.Transcode.map_request/5, where attacker-controlled query/body values silently overwrite the router-extracted path bindings used by handlers for authorization. No public exploit identified at time of analysis, but upstream patch and detailed regression tests are publicly available.
Unauthenticated denial of service in the elixir-grpc library (versions 0.3.1 up to but not including 1.0.0) allows a single remote attacker to crash an Erlang/BEAM node by streaming an oversized or slow-trickle unary gRPC request body. The Cowboy handler's read_full_body/3 accumulates every chunk into one unbounded binary, and when no grpc-timeout header is sent the per-chunk read timeout collapses to :infinity, so memory grows without bound until the VM dies. No public exploit identified at time of analysis, but the fix is upstream in commit 49e18c3 and the issue is trivial to trigger.
Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.
Denial of service in the elixir-grpc library (versions 0.4.0 through 0.x) allows unauthenticated remote attackers to crash BEAM nodes via a gzip decompression bomb. The GRPC.Compressor.Gzip module calls :zlib.gunzip/1 directly on attacker-controlled bytes without size limits, ratio checks, or incremental decoding, so a single small frame carrying the grpc-encoding: gzip header expands to multi-gigabyte allocations and triggers OOM kills. No public exploit identified at time of analysis, but a vendor patch is available in version 1.0.0.
Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers to override path-bound URL parameters via query string or request body values, defeating ownership and multi-tenancy checks. The flaw stems from incorrect Map.merge/2 precedence in GRPC.Server.Transcode.map_request/5, where attacker-controlled query/body values silently overwrite the router-extracted path bindings used by handlers for authorization. No public exploit identified at time of analysis, but upstream patch and detailed regression tests are publicly available.
Unauthenticated denial of service in the elixir-grpc library (versions 0.3.1 up to but not including 1.0.0) allows a single remote attacker to crash an Erlang/BEAM node by streaming an oversized or slow-trickle unary gRPC request body. The Cowboy handler's read_full_body/3 accumulates every chunk into one unbounded binary, and when no grpc-timeout header is sent the per-chunk read timeout collapses to :infinity, so memory grows without bound until the VM dies. No public exploit identified at time of analysis, but the fix is upstream in commit 49e18c3 and the issue is trivial to trigger.