CVE-2024-37168

@grpc/grpc-js can allocate memory for incoming messages well above configured limits

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.

@grpc/grps-js implementa la funcionalidad principal de gRPC exclusivamente en JavaScript, sin un complemento de C++. Antes de las versiones 1.10.9, 1.9.15 y 1.8.22, existen dos rutas de código separadas en las que se puede asignar memoria por mensaje que exceda la opción de canal `grpc.max_receive_message_length`: si un mensaje entrante tiene un tamaño en el cable es mayor que el límite configurado, todo el mensaje se almacena en el búfer antes de descartarlo; y/o si un mensaje entrante tiene un tamaño dentro del límite del cable pero se descomprime a un tamaño mayor que el límite, el mensaje completo se descomprime en la memoria y no se descarta en el servidor. Esto se ha parcheado en las versiones 1.10.9, 1.9.15 y 1.8.22.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-03 CVE Reserved
2024-06-10 CVE Published
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-789: Memory Allocation with Excessive Size Value

CAPEC

References (4)

URL	Tag	Source
https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650	X_refsource_misc
https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3	X_refsource_misc
https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb	X_refsource_misc
https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grpc Search vendor "Grpc"		Grpc-node Search vendor "Grpc" for product "Grpc-node"				>= 1.10.0 < 1.10.9 Search vendor "Grpc" for product "Grpc-node" and version " >= 1.10.0 < 1.10.9"		en		Affected
Grpc Search vendor "Grpc"		Grpc-node Search vendor "Grpc" for product "Grpc-node"				>= 1.9.0 < 1.9.15 Search vendor "Grpc" for product "Grpc-node" and version " >= 1.9.0 < 1.9.15"		en		Affected
Grpc Search vendor "Grpc"		Grpc-node Search vendor "Grpc" for product "Grpc-node"				< 1.8.22 Search vendor "Grpc" for product "Grpc-node" and version " < 1.8.22"		en		Affected