We found results for “”
CVE-2024-37168
Good to know:
Date: June 10, 2024
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the "grpc.max_receive_message_length" channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.
Language: JS
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Memory Allocation with Excessive Size Value
CWE-789Top Fix
Upgrade Version
Upgrade to version @grpc/grpc-js - 1.9.15;@grpc/grpc-js - 1.8.22;@grpc/grpc-js - 1.10.9
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | NONE |
| Availability (A): | LOW |
Vulnerabilities
Projects
Contact Us


