CVE-2026-53430
Deferred Deferred - Pending Action

Denial of Service via Data Amplification in Elixir gRPC

Vulnerability report for CVE-2026-53430, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: EEF

Description

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2. 'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill. This issue affects grpc: from 0.4.0 before 1.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elixir grpc From 0.4.0 (inc) to 1.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an improper handling of highly compressed data (data amplification) in the elixir-grpc grpc library, specifically in the GRPC.Compressor.Gzip and GRPC.Message modules. It allows a denial of service attack via a gzip decompression bomb.

The issue arises because the decompress/1 function calls :zlib.gunzip/1 directly on attacker-controlled compressed data without any limit on decompressed size, ratio checks, or incremental decoding. This means a small compressed payload can expand to multiple gigabytes in memory.

Since the max_receive_message_length limit is only checked after decompression, it does not prevent this attack. An unauthenticated remote attacker can send a single crafted frame with the grpc-encoding: gzip header to exhaust the server's memory and cause an out-of-memory crash.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by exhausting the memory of the BEAM node running the elixir-grpc grpc service.

An attacker can send a specially crafted compressed message that decompresses into a very large payload, causing the server to allocate excessive memory and potentially crash or become unresponsive.

Because the attack requires no authentication, it can be triggered remotely by any unauthenticated user, making systems using affected versions vulnerable to disruption.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an unauthenticated remote attacker sending a single crafted gRPC frame with the grpc-encoding: gzip header containing a highly compressed payload that decompresses to a very large size, causing denial of service by exhausting memory.

Detection can focus on monitoring incoming gRPC traffic for unusually small gzip-compressed payloads that decompress to very large sizes or cause resource exhaustion.

Specific commands are not provided in the resources, but general approaches include:

  • Using network packet capture tools (e.g., tcpdump, Wireshark) to filter for gRPC traffic with grpc-encoding: gzip headers.
  • Monitoring system logs and metrics for out-of-memory (OOM) events or BEAM node crashes.
  • Implementing application-level logging to detect decompression failures or resource exhaustion errors related to gzip decompression.
Mitigation Strategies

The vulnerability was fixed by implementing decompression size limits in the GRPC.Compressor.Gzip module.

Immediate mitigation steps include:

  • Upgrade the elixir-grpc library to version 1.0.0 or later, where the vulnerability is patched.
  • Apply the patch that enforces a maximum decompressed message size (default 4 MB) and processes input in chunks to detect decompression bombs early.
  • Configure the maximum decompressed message size according to your environment to limit resource usage.
  • Monitor your system for unusual memory usage or crashes until the patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart