CVE-2026-48853
Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc
Vulnerability description
Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.
'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary_to_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.
This issue affects grpc from 0.4.0 before 1.0.0.
Affected
pkg:hex/grpc
| Module | Source File | Routine |
|---|---|---|
GRPC.Codec.Erlpack
|
lib/grpc/codec/erlpack.ex
|
GRPC.Codec.Erlpack.decode/2
|
pkg:github/elixir-grpc/grpc
| Module | Source File | Routine |
|---|---|---|
GRPC.Codec.Erlpack
|
lib/grpc/codec/erlpack.ex
|
GRPC.Codec.Erlpack.decode/2
|
| Status | Type | Version | Changes / Fixed in |
|---|---|---|---|
| affected | git ⓘ | 25bcc569fe
|
< 272a97a5ea
|
Configurations
GRPC.Codec.Erlpack must be explicitly registered as a codec on the gRPC server.
References
- https://github.com/elixir-grpc/grpc/security/advisories/GHSA-grp7-v8xh-rj7h vendor-advisory related
- https://osv.dev/vulnerability/EEF-CVE-2026-48853 related
- https://github.com/elixir-grpc/grpc/commit/272a97a5ea1b46af1819f14a831fcf35fc91f992 patch
Credits
- Finder: Peter Ullrich
- Remediation developer: Paulo Valente
- Analyst: Jonatan Männchen
CVE record as JSON:
GET /cves/CVE-2026-48853.json
OSV record as JSON:
GET /osv/EEF-CVE-2026-48853.json