Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-cfgp-2977-2fmm

GitHub Security Advisory

Connection confusion in gRPC

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

Affected Packages

Maven io.grpc:grpc-protobuf
Affected versions: 1.53.0 (fixed in 1.53.1)
PyPI grpcio
Affected versions: 1.53.0 (fixed in 1.53.1)
RubyGems grpc
Affected versions: 1.53.0 (fixed in 1.53.1)
PyPI grpcio
Affected versions: 1.54.0 (fixed in 1.54.2)
RubyGems grpc
Affected versions: 1.54.0 (fixed in 1.54.2)
Maven io.grpc:grpc-protobuf
Affected versions: 1.54.0 (fixed in 1.54.2)

Related CVEs

CVE-2023-32731

Key Information

GHSA ID
GHSA-cfgp-2977-2fmm
Published
July 5, 2023 7:12 PM
Last Modified
August 13, 2025 2:56 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
io.grpc:grpc-protobuf
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 10, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.