Impact
The vulnerability originates from unsafe deserialization of Erlang terms in the elixir‑grpc grpc library. The codec Erlpack.decode calls :erlang.binary_to_term without safety checks or size limits, allowing an attacker to send arbitrary terms. This can cause atom table exhaustion and crash the BEAM node, or, if the term contains a fun, execute malicious code. The flaw is essentially a deserialization of untrusted data leading to remote code execution and denial of service.
Affected Systems
The affected product is elixir‑grpc grpc. Any installation of grpc between version 0.4.0 and before 1.0.0 that receives gRPC requests with the content type application/grpc+erlpack is vulnerable. The attack surface is present in any server using the Erlpack codec for deserialization.
Risk and Exploitability
The CVSS score of 9.2 marks this flaw as critical. The EPSS score is less than 1 percent, indicating a very low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. However, the attack requires no prior authentication and can be performed over any gRPC endpoint that accepts the vulnerable content type, making it potentially easily exploitable for targeted adversaries. Based on the description, the impact is likely to include loss of confidentiality, integrity, and availability of the affected server.
OpenCVE Enrichment