CVE-2026-53430

Name of the Vulnerable Software and Affected Versions elixir-grpc versions 0.4.0 through 0.9.x

Description Improper handling of highly compressed data in the GRPC.Compressor.Gzip and GRPC.Message modules allows a denial of service via a gzip decompression bomb. The function decompress/1 in Elixir.GRPC.Compressor.Gzip calls :zlib.gunzip/1 on attacker-controlled bytes without a decompressed-size limit, ratio check, or incremental decoding. This occurs automatically when an incoming gRPC frame contains the grpc-encoding: gzip header. Since :zlib.gunzip/1 allocates the entire decompressed result as a single binary, a small, highly compressible payload can expand to multiple gigabytes, exhausting the BEAM node's heap and triggering an out-of-memory kill. The max receive message length limit is ineffective as it is only enforced after decompression. This can be exploited by an unauthenticated remote peer using the from data/2 function in Elixir.GRPC.Message.

Recommendations Update to version 1.0.0 or later.