
We found results for “”
CVE-2024-37168
Good to know:


Date: June 10, 2024
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the "grpc.max_receive_message_length" channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.
Language: JS
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Memory Allocation with Excessive Size Value
CWE-789Top Fix

Upgrade Version
Upgrade to version @grpc/grpc-js - 1.9.15;@grpc/grpc-js - 1.8.22;@grpc/grpc-js - 1.10.9
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | NONE |
Availability (A): | LOW |