CVE-2026-53430
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
15/06/2026
Last modified:
15/06/2026
Description
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb.<br />
<br />
This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines &#39;Elixir.GRPC.Compressor.Gzip&#39;:decompress/1, &#39;Elixir.GRPC.Message&#39;:from_data/2.<br />
<br />
&#39;Elixir.GRPC.Compressor.Gzip&#39;:decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node&#39;s heap and trigger an out-of-memory kill.<br />
<br />
This issue affects grpc: from 0.4.0 before 1.0.0.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH