8.7
/ 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Description
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body.
'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.
This issue affects grpc from 0.3.1 before 1.0.0.
'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.
This issue affects grpc from 0.3.1 before 1.0.0.
AI Analysis
Unauthenticated attackers can exhaust server memory and crash the node by streaming large or slow-trickle unary request bodies due to unbounded request body accumulation in elixir-grpc/grpc
Basic Information
ID
CVE-2026-48854
Source
EEF
Published
Jun 15, 2026 at 21:55
Affected Product
Vendor
elixir-grpc
Product
grpc
Version
0.3.1
Affected Versions
elixir-grpc grpc 0.3.1
elixir-grpc grpc d1abe70a6cad6dac4a3f8235d883d7c896989560
elixir-grpc grpc d1abe70a6cad6dac4a3f8235d883d7c896989560
CWE Classification
AI Assessment
AI Score
8.7 / 10
AI Severity
High
Vendor
Elixir-GRPC
Product
grpc
Version
0.3.1