{"affected":[{"package":{"ecosystem":"Hex","name":"grpc","purl":"pkg:hex/grpc"},"ranges":[{"events":[{"introduced":"0.4.0"},{"fixed":"1.0.0"}],"type":"SEMVER"}],"versions":["0.5.0-beta","0.5.0-beta.1","0.5.0","0.6.0","0.7.0","0.8.0","0.8.1","0.9.0","0.10.0","0.10.1","0.10.2","0.11.0","0.11.1","0.11.2","0.11.3","0.11.4","0.11.5","1.0.0-rc.1"]},{"ranges":[{"events":[{"introduced":"25bcc569fe2cc4478531a6c546c923205fc751c9"},{"fixed":"272a97a5ea1b46af1819f14a831fcf35fc91f992"}],"repo":"https://github.com/elixir-grpc/grpc","type":"GIT"}]}],"aliases":["GHSA-grp7-v8xh-rj7h","CVE-2026-48853"],"credits":[{"name":"Peter Ullrich","type":"FINDER"},{"name":"Paulo Valente","type":"REMEDIATION_DEVELOPER"},{"name":"Jonatan Männchen","type":"ANALYST"}],"database_specific":{"capec_ids":["CAPEC-586","CAPEC-231"],"cpe_ids":["cpe:2.3:a:elixir-grpc:grpc:*:*:*:*:*:*:*:*"],"cwe_ids":["CWE-502","CWE-770"]},"details":"## Summary\n\nDeserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unauthenticated attackers to crash the BEAM node via atom table exhaustion and, when a decoded term flows into a call site that invokes it, achieve remote code execution on the server.\n\n'Elixir.GRPC.Codec.Erlpack':decode/2 (lib/grpc/codec/erlpack.ex) calls :erlang.binary\\_to\\_term/1 on the raw gRPC message body without the :safe option, no size bound, and no type guard. Any unauthenticated peer that sends a request with Content-Type: application/grpc+erlpack can send a crafted payload that mints arbitrary new atoms (which are never garbage-collected, exhausting the bounded atom table and crashing the VM) or that encodes a fun term which, if applied anywhere downstream, executes attacker-controlled code inside the server process.\n\nThis issue affects grpc from 0.4.0 before 1.0.0.\n\n## Configuration\n\nGRPC.Codec.Erlpack must be explicitly registered as a codec on the gRPC server.","id":"EEF-CVE-2026-48853","modified":"2026-06-15T21:56:15.262Z","published":"2026-06-15T21:56:15.262Z","references":[{"type":"ADVISORY","url":"https://github.com/elixir-grpc/grpc/security/advisories/GHSA-grp7-v8xh-rj7h"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-48853.html"},{"type":"FIX","url":"https://github.com/elixir-grpc/grpc/commit/272a97a5ea1b46af1819f14a831fcf35fc91f992"},{"type":"PACKAGE","url":"https://hex.pm/packages/grpc"}],"related":[],"schema_version":"1.7.3","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"}],"summary":"Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc","upstream":[]}