Impact
The vulnerability lies in the GRPC.Compressor.Gzip module of elixir‑grpc where :zlib.gunzip/1 is called on caller‑controlled data without size limits, allowing a gzip decompression bomb that can inflate a few kilobytes into gigabytes. Attackers can cause an out‑of‑memory crash by sending a single crafted frame, resulting in denial of service. This weakness is a classic data amplification flaw (CWE-409).
Affected Systems
elixir‑grpc’s grpc library, versions from 0.4.0 up to but excluding 1.0.0. This includes all builds that register GRPC.Compressor.Gzip as the default gzip implementation, affecting any BEAM node that accepts remote gRPC frames with the grpc‑encoding: gzip header.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity, while the EPSS score of <1% shows a very low exploitation probability in the current landscape. The vulnerability is not listed in the CISA KEV catalog. Attackers need only an unauthenticated connection to send a gzip‑encoded frame, and the absence of a decompressed‑size limit means the exploit does not require any privileged access; a single crafted request will exhaust the node’s heap and trigger an OOM kill.
OpenCVE Enrichment