Vulnerability Report: GO-2023-2153

GHSA-m425-mq94-257g
Affects: google.golang.org/grpc
Published: Nov 01, 2023
Modified: Dec 14, 2023

An attacker can send HTTP/2 requests, cancel them, and send subsequent requests. This is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit, grpc.MaxConcurrentStreams. This results in a denial of service due to resource consumption.

Affected Packages

Path

Versions

Symbols
google.golang.org/grpc/internal/transport

before v1.56.3, from v1.57.0 before v1.57.1, from v1.58.0 before v1.58.3
- NewServerTransport
google.golang.org/grpc

before v1.56.3, from v1.57.0 before v1.57.1, from v1.58.0 before v1.58.3
- NewServer
- Server.Serve

Aliases

GHSA-m425-mq94-257g

References

https://github.com/grpc/grpc-go/pull/6703
https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721
https://vuln.go.dev/ID/GO-2023-2153.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL