EEF-CVE-2026-53430 grpc gzip decompression bomb in GRPC.Compressor.Gzip.decompress/1

Summary Improper Handling of Highly Compressed Data Data Amplification vulnerability in elixir-grpc grpc GRPC.Compressor.Gzip, GRPC.Message modules allows a denial of service via a gzip decompression bomb. This vulnerability is associated with program files lib/grpc/compressor/gzip.ex,...

CVE-2026-48854

The CVE-2026-48854 affects the elixir-grpc/grpc project. The vulnerability resides in Elixir.GRPC.Server.Adapters.Cowboy.Handler:read_full_body/3, which accumulates every received chunk into a growing binary with no size cap. If the grpc-timeout header is omitted, per-chunk read timeouts resolve ...

CVE-2026-40969

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC:...

CVE-2024-7246

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the...

PT-2023-30643

Name of the Vulnerable Software and Affected Versions gRPC versions 1.23 and later Description The issue is related to a lack of error handling in the TCP server in Google's gRPC, which allows an attacker to cause a denial of service by initiating a significant number of connections with the...

AZL-34782 CVE-2023-32067 affecting package grpc for versions less than 1.62.0-2

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful...

AZL-34776 CVE-2023-31147 affecting package grpc for versions less than 1.62.0-2

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

PT-2020-19780 · Grpc · Grpc +1

Name of the Vulnerable Software and Affected Versions: grpc versions prior to 1.24.4 @grpc/grpc-js versions prior to 1.1.8 Description: The issue concerns Prototype Pollution via loadPackageDefinition. This affects the grpc and @grpc/grpc-js packages. Recommendations: For grpc versions prior to...