CVE-2026-53430: grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Message modules) allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex, lib/grpc/message.ex and program routines 'Elixir.GRPC.Compressor.Gzip':decompress/1, 'Elixir.GRPC.Message':from_data/2. 'Elixir.GRPC.Compressor.Gzip':decompress/1 calls :zlib.gunzip/1 directly on attacker-controlled bytes with no decompressed-size limit, ratio check, or incremental decoding. Because this module is the registered gzip GRPC.Compressor implementation, it is invoked automatically whenever an incoming gRPC frame carries the grpc-encoding: gzip header. :zlib.gunzip/1 allocates the entire decompressed result as a single binary, so a small highly compressible payload (for example a few kilobytes of zeros, which gzip compresses at roughly 1000:1) expands to multiple gigabytes inside a single call. The max_receive_message_length limit is enforced only against the already-decompressed message, so it provides no protection. An unauthenticated remote peer can send a single crafted frame to exhaust the BEAM node's heap and trigger an out-of-memory kill. This issue affects grpc: from 0.4.0 before 1.0.0.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 1.0.0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A decompression bomb vulnerability (improper handling of highly compressed data) affects the elixir-grpc library, specifically the GRPC.Compressor.Gzip.decompress/1 and GRPC.Message.from_data/2 routines. The flaw is reachable over the network with no authentication required: any remote peer sending a gRPC frame with a grpc-encoding: gzip header triggers automatic decompression with no size limit, ratio check, or incremental decoding guard. A single crafted payload of a few kilobytes can expand to multiple gigabytes on the BEAM heap, exhausting memory and killing the node, resulting in a complete denial of service. A patched-image rebuild at version 1.0.0 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Elixir application images that bundle the elixir-grpc library. Any image whose dependency graph includes elixir-grpc versions 0.4.0 through 0.x is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS v4.0 8.7 (HIGH) and weights it further against each environment's compliance policy, escalating findings where gRPC-exposed workloads carry elevated blast-radius designations. Triage alerts are routed to the team inbox configured for the affected workload, reducing noise for teams whose images are not in scope.
AvailableA patched-image rebuild pinned to elixir-grpc 1.0.0 (commit 1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc) becomes available on HarborGuard as soon as an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs the configured regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the gRPC service over the network; any internet-exposed or internally reachable gRPC endpoint is in scope.
- AuthenticationNot required
No credentials or session token are needed; an unauthenticated remote peer can send the crafted frame directly.
- Victim interactionNot required
No user action is required; the vulnerable decompression path is triggered automatically by the grpc-encoding: gzip header on any incoming frame.
- Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to send a single small gzip-compressed frame, with no race condition or environmental dependency.
Blast Radius
- Crashes the target BEAM node by exhausting its heap memory with a single malformed gRPC frame.
- Brings down all gRPC services co-hosted on the same BEAM node, not just the targeted endpoint.
- Causes sustained unavailability until the node is restarted, with no self-recovery path once OOM kill occurs.
- Requires no prior access, making repeated denial-of-service attempts trivially automatable by any network-reachable client.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of publication, matching any image that bundles elixir-grpc 0.4.0 through versions before 1.0.0. Because this is a network-reachable, zero-authentication denial-of-service with a CVSS v4.0 score of 8.7, it is prioritized for immediate triage routing. A rebuild against elixir-grpc 1.0.0 is available for affected images; for customers who opt into auto-remediation, HarborGuard performs the rebuild, executes the configured regression suite, and opens a PR against affected workloads, with a median time to merged patch PR of around 90 minutes for high-severity issues. For teams that cannot immediately upgrade, compensating controls include applying network policy to restrict which clients can reach gRPC ports, enforcing egress filtering to limit lateral exposure if a node is killed, and disabling gzip encoding negotiation at the load balancer or proxy layer if the application supports it. HarborGuard re-checks the advisory on every ingest cycle and will surface the patched rebuild the moment it is available in affected environments.
- elixir-grpc / grpc< 1.0.0 (from 0.4.0)
- elixir-grpc / grpc< 1afbab9d57d2a3e16ca9c62ffa4923338ea96cfc (from beae6800fc8baf126f3fe7107d86a50e105275ba)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N