EEF-CVE-2026-53430

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-53430.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-53430.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-53430

Aliases

CVE-2026-53430
GHSA-6ccx-9c9f-327w

Published

2026-06-15T21:55:33.707Z

Modified

2026-06-15T22:26:29.470744054Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1

Details

Summary

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.

This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2.

'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.

This issue affects grpc: from 0.4.0 before 1.0.0.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-130"
    ],
    "cwe_ids": [
        "CWE-409"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- Paulo Valente - REMEDIATION_DEVELOPER

Affected packages

Hex / grpc

Package

Name: grpc
Purl: pkg:hex/grpc

Affected ranges

Type: SEMVER
Events: Introduced

0.4.0

Fixed

1.0.0

Affected versions

0.*

0.5.0-beta

0.5.0-beta.1

0.5.0

0.6.0

0.7.0

0.8.0

0.8.1

0.9.0

0.10.0

0.10.1

0.10.2

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

1.*

1.0.0-rc.1

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-53430.json"

Git / github.com/elixir-grpc/grpc

Affected ranges

Type: GIT
Repo: https://github.com/elixir-grpc/grpc
Events: Introduced

beae6800fc8baf126f3fe7107d86a50e105275ba

Fixed

1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc

Affected versions

v0.*

v0.11.2

v0.4.0

v0.5.0

v0.5.0-beta

v0.5.0-beta.1

v0.6.0

v0.7.0

v0.8.0

v0.8.1

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-53430.json"