Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust the BEAM's memory and crash the server by streaming a large or slow-trickle unary request body.
'Elixir.GRPC.Server.Adapters.Cowboy.Handler':read_full_body/3 (lib/grpc/server/adapters/cowboy/handler.ex) accumulates every received chunk into a single growing binary with no size cap. Additionally, when the client omits the grpc-timeout header, the per-chunk read timeout resolves to :infinity, allowing a slow-trickle client to keep the connection alive indefinitely while memory grows. A single connection is sufficient to exhaust server memory and crash the node.
This issue affects grpc from 0.3.1 before 1.0.0.
CVSS
No CVSS.
References
Configurations
No configuration.
History
16 Jun 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/elixir-grpc/grpc/security/advisories/GHSA-q8gf-9rvj-gmgj - |
15 Jun 2026, 23:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-15 23:16
Updated : 2026-06-17 10:55
NVD link : CVE-2026-48854
Mitre link : CVE-2026-48854
CVE.ORG link : CVE-2026-48854
JSON object : View
Products Affected
No product.
CWE
CWE-770
Allocation of Resources Without Limits or Throttling
