Elixir GRPC pre-1.0.0: Unbounded Memory Allocation via Streaming RPCs
CVE-2026-48854 Published on June 15, 2026
Unbounded request body accumulation causes memory exhaustion in elixir-grpc/grpc
Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body.
'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.
This issue affects grpc from 0.3.1 before 1.0.0.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-48854
Want to know whenever a new CVE is published for Elixir Grpc Grpc? stack.watch will email you.
Affected Versions
elixir-grpc grpc:- Version 0.3.1 and below 1.0.0 is affected.
- Version d1abe70a6cad6dac4a3f8235d883d7c896989560 and below 49e18c3ec6bb9afe2f712caad3dbab5c56a68a00 is affected.