Impact
Elixir GRPC's server adapter accumulates every received request body chunk into a single binary without any size cap. When a client omits the grpc‑timeout header, the per‑chunk read timeout resolves to :infinity, allowing a slow‑trickle or extremely large request to be sent over a single connection. This unbounded accumulation of data consumes BEAM memory until the node crashes. The weakness falls under CWE‑770 and results in a classic memory exhaustion denial of service for the affected service exposed to the network.
Affected Systems
The vulnerability is present in the Elixir GRPC grpc library from version 0.3.1 up to, but not including, 1.0.0. Any deployment using a pre‑1.0.0 release of the grpc package on an Erlang/Elixir BEAM runtime is susceptible.
Risk and Exploitability
The reported CVSS score of 8.7 indicates high severity, yet the EPSS score is below 1 %, suggesting that exploitation is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit this by simply establishing an unauthenticated TCP connection to the grpc service and streaming a large or slow‑trickle request body; no additional privileges are required.
OpenCVE Enrichment