gRPC-Go HTTP/2 Rapid Reset vulnerability

Impact

In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.

Patches

This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.

Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection.

Workarounds

None.

References

#6703

Published: Oct 25, 2023
Updated: Oct 26, 2023
GHSA: GHSA-m425-mq94-257g
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
google.golang.org/grpc	-	1.56.3
google.golang.org/grpc	1.57.0	1.57.1
google.golang.org/grpc	1.58.0	1.58.3

Vulnerability Database

289,571

gRPC-Go HTTP/2 Rapid Reset vulnerability

Impact

Patches

Workarounds

References