In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit.
This vulnerability was addressed by #6703 and has been included in patch releases: 1.56.3, 1.57.1, 1.58.3. It is also included in the latest release, 1.59.0.
Along with applying the patch, users should also ensure they are using the grpc.MaxConcurrentStreams
server option to apply a limit to the server's resources used for any single connection.
None.
#6703
Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
---|---|---|---|---|---|
google.golang.org/grpc | golang | - | - | <1.56.3 | 1.56.3, 1.57.1, 1.58.3 |
google.golang.org/grpc | golang | - | - | >=1.57.0,<1.57.1 | 1.56.3, 1.57.1, 1.58.3 |
google.golang.org/grpc | golang | - | - | >=1.58.0,<1.58.3 | 1.56.3, 1.57.1, 1.58.3 |
CVSS:2 Severity and metrics
No CVSS data available from this source.