<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Elixir-Protobuf - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/elixir-protobuf/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 17:45:25 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/elixir-protobuf/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unbounded Recursion Depth in Elixir Protobuf Decoder Causes Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2026-07-protobuf-unbounded-recursion-dos/</link><pubDate>Wed, 15 Jul 2026 17:45:25 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-protobuf-unbounded-recursion-dos/</guid><description>An unauthenticated attacker can trigger a denial-of-service condition in services that decode untrusted protobuf messages using the `Protobuf.Decoder` (Hex package `protobuf`) versions between 0.8.0 and 0.16.1 by crafting deeply nested self-referential message types, leading to memory exhaustion and service crashes.</description><content:encoded><![CDATA[<p>CVE-2026-54451 describes a high-severity vulnerability involving unbounded recursion depth in the <code>Protobuf.Decoder</code> component of the Elixir <code>protobuf</code> Hex package, affecting versions <code>&gt;= 0.8.0</code> and <code>&lt; 0.16.1</code>. An unauthenticated attacker can exploit this flaw to launch a denial-of-service attack against any Elixir service that decodes untrusted Protobuf messages, particularly those with self-referential or cyclic message types in their schema. By sending a small, specially crafted Protobuf message (a few KB to MB) containing deeply nested fields, the attacker forces the BEAM runtime to recurse millions of times without a depth limit. This leads to severe memory exhaustion, excessive CPU consumption, and scheduler pinning, effectively rendering the victim service unresponsive or causing it to crash. The lack of a recursion-depth counter, unlike reference Protobuf implementations, makes the <code>protobuf</code> library vulnerable to request-amplification DoS attacks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an Elixir service that utilizes the vulnerable <code>protobuf</code> Hex package (versions between 0.8.0 and 0.16.1) to decode untrusted Protobuf input.</li>
<li>The attacker determines or defines a self-referential Protobuf message schema (e.g., <code>message Tree { Tree child = 1; }</code>) that the target application is configured to decode.</li>
<li>The attacker crafts a malicious Protobuf message in wire format, recursively nesting the self-referential field hundreds of thousands to millions of times.</li>
<li>The crafted message is optimized to be small in overall size (e.g., a few KB to a few MB) to maximize recursion depth while minimizing bandwidth consumption for the attacker.</li>
<li>The attacker sends the malicious message via an HTTP POST request with <code>Content-Type: application/x-protobuf</code> to an endpoint that processes and calls <code>Tree.decode/1</code> on the input.</li>
<li>The vulnerable <code>Protobuf.Decoder.value_for_field/3</code> function is invoked and recursively calls <code>decode</code> for each nested level without enforcing any depth limit.</li>
<li>Each recursive call consumes a new stack frame and allocates heap memory, leading to rapid exhaustion of process memory and significant CPU load on the BEAM runtime.</li>
<li>The victim service experiences a denial of service, becoming unresponsive or crashing, particularly if multiple concurrent requests are processed.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability (CVE-2026-54451) allows an unauthenticated, network-reachable attacker to perform a request-amplification denial-of-service against any Elixir service that decodes untrusted Protobuf messages containing self-referential or cyclic types. A single small, maliciously crafted request can consume seconds of CPU time and hundreds of megabytes of memory on the victim server. Just a few concurrent requests can lead to complete service unavailability or node crashes, severely impacting the reliability and accessibility of affected applications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-54451 immediately by updating the <code>protobuf</code> Hex package to version <code>0.16.1</code> or higher to ensure the recursion depth limit is enforced.</li>
<li>Review webserver access logs and HTTP proxy logs for POST requests containing <code>Content-Type: application/x-protobuf</code> with unusually large <code>Content-Length</code> headers, which may indicate attempted exploitation.</li>
<li>Implement robust application-level logging to capture <code>Protobuf.DecodeError</code> exceptions, as these indicate attempts to trigger or successful exploitation of recursion limits.</li>
<li>Monitor Elixir BEAM node resources, specifically CPU utilization, memory consumption, and process stack depth, for sudden spikes or sustained high usage that could indicate a denial-of-service attack.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>elixir</category><category>protobuf</category></item></channel></rss>