CVE-2021-36153

Vulnerability

The vulnerability resides in GRPCWebToHTTP2ServerCodec.swift within gRPC Swift versions 1.1.0 and 1.1.1 [1][2][3]. The codec is responsible for translating gRPC Web requests into HTTP/2 requests on the server side. A mismanaged internal state during request parsing leads to a precondition failure when the codec encounters a malformed request [3]. This affects servers built with the affected versions that process gRPC Web traffic.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted, malformed gRPC Web request to the gRPC Swift server [2][3]. No prior authentication or special network position is required, as the attack is conducted remotely over the network. The malformed request triggers the precondition failure during parsing in GRPCWebToHTTP2ServerCodec.

Impact

Successful exploitation results in a denial of service (DoS) [2][3][4]. The precondition failure causes the server process to crash or become unavailable, disrupting service for legitimate users. The vulnerability does not lead to information disclosure, privilege escalation, or remote code execution; the impact is limited to availability.

Mitigation

The issue has been fixed in gRPC Swift version 1.2.0, released on 2021-07-09 [1][3]. Users must upgrade to 1.2.0 or later to remediate the vulnerability. No workaround is available [3]. Servers still running versions 1.1.0 or 1.1.1 remain vulnerable.