Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.

This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2.

'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill.

This issue affects grpc: from 0.4.0 before 1.0.0.
Published: 2026-06-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the GRPC.Compressor.Gzip module of elixir‑grpc where :zlib.gunzip/1 is called on caller‑controlled data without size limits, allowing a gzip decompression bomb that can inflate a few kilobytes into gigabytes. Attackers can cause an out‑of‑memory crash by sending a single crafted frame, resulting in denial of service. This weakness is a classic data amplification flaw (CWE-409).

Affected Systems

elixir‑grpc’s grpc library, versions from 0.4.0 up to but excluding 1.0.0. This includes all builds that register GRPC.Compressor.Gzip as the default gzip implementation, affecting any BEAM node that accepts remote gRPC frames with the grpc‑encoding: gzip header.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score of <1% shows a very low exploitation probability in the current landscape. The vulnerability is not listed in the CISA KEV catalog. Attackers need only an unauthenticated connection to send a gzip‑encoded frame, and the absence of a decompressed‑size limit means the exploit does not require any privileged access; a single crafted request will exhaust the node’s heap and trigger an OOM kill.

Generated by OpenCVE AI on June 17, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to elixir‑grpc grpc v1.0.0 or later to apply the decompression size limit fix.
  • If upgrading is not immediately possible, disable gzip compression on the server or reject any frames with grpc‑encoding: gzip header.
  • Configure the BEAM node with stricter memory limits and enable OOM guard to mitigate potential out‑of‑memory crashes.

Generated by OpenCVE AI on June 17, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2. 'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill. This issue affects grpc: from 0.4.0 before 1.0.0.
Title grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
First Time appeared Elixir-grpc
Elixir-grpc grpc
Weaknesses CWE-409
CPEs cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*
Vendors & Products Elixir-grpc
Elixir-grpc grpc
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Elixir-grpc Grpc
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-17T04:46:39.180Z

Reserved: 2026-06-09T11:01:47.529Z

Link: CVE-2026-53430

cve-icon Vulnrichment

Updated: 2026-06-16T14:43:02.798Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T23:16:46.363

Modified: 2026-06-16T15:35:16.600

Link: CVE-2026-53430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:00:14Z

Weaknesses
  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)