Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body.

'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.

This issue affects grpc from 0.3.1 before 1.0.0.
Published: 2026-06-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Elixir GRPC's server adapter accumulates every received request body chunk into a single binary without any size cap. When a client omits the grpc‑timeout header, the per‑chunk read timeout resolves to :infinity, allowing a slow‑trickle or extremely large request to be sent over a single connection. This unbounded accumulation of data consumes BEAM memory until the node crashes. The weakness falls under CWE‑770 and results in a classic memory exhaustion denial of service for the affected service exposed to the network.

Affected Systems

The vulnerability is present in the Elixir GRPC grpc library from version 0.3.1 up to, but not including, 1.0.0. Any deployment using a pre‑1.0.0 release of the grpc package on an Erlang/Elixir BEAM runtime is susceptible.

Risk and Exploitability

The reported CVSS score of 8.7 indicates high severity, yet the EPSS score is below 1 %, suggesting that exploitation is unlikely to be widespread at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit this by simply establishing an unauthenticated TCP connection to the grpc service and streaming a large or slow‑trickle request body; no additional privileges are required.

Generated by OpenCVE AI on June 17, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Elixir GRPC grpc library to version 1.0.0 or later, which imposes limits on request body size and removes the unbounded accumulation bug.
  • If an upgrade cannot be performed immediately, restrict the BEAM VM memory limits for the grpc process or deploy a reverse proxy that enforces a request body size limit to mitigate memory consumption.
  • Restart the server process after applying any changes to ensure no lingering connections are continuing to consume memory.

Generated by OpenCVE AI on June 17, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body. 'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node. This issue affects grpc from 0.3.1 before 1.0.0.
Title Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc
First Time appeared Elixir-grpc
Elixir-grpc grpc
Weaknesses CWE-770
CPEs cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Vendors & Products Elixir-grpc
Elixir-grpc grpc
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Elixir-grpc Grpc
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-17T04:46:27.584Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48854

cve-icon Vulnrichment

Updated: 2026-06-16T14:47:23.900Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T23:16:45.813

Modified: 2026-06-16T15:35:16.600

Link: CVE-2026-48854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:00:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling