High severityNVD Advisory· Published Jun 9, 2023· Updated Sep 26, 2024

Denial-of-Service in gRPC

CVE-2023-1428

Description

There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2:

te: x (x != trailers)

:scheme: x (x != http, https)

grpclb_client_stats: x (x == anything)

On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-1428: Sending certain HTTP/2 headers (like invalid te, :scheme, or grpclb_client_stats) past 8KB total can cause gRPC C++ to call abort(), enabling denial-of-service attacks.

Root

Cause

CVE-2023-1428 is a denial-of-service vulnerability in the C++ implementation of gRPC that can cause the process to call abort() when processing specific HTTP/2 headers. The issue arises because the HPACK parser's size tracking logic did not correctly account for the encoded size of certain metadata keys, such as te (any value other than "trailers"), :scheme (any value other than "http" or "https"), and grpclb_client_stats (any value). When an attacker sends one of these headers followed by additional headers that bring the total header size past the 8 KB threshold, the parser triggers an abort [1][3].

Exploitation

Conditions

An attacker can exploit this vulnerability over a network by sending a crafted sequence of HTTP/2 headers to a gRPC server or client. The attack requires no authentication and does not need a pre-existing session, making it remotely exploitable. The specific trigger is sending an invalid header (as listed above) and then continuing to send more header data until the cumulative size exceeds 8 KB. The fix, introduced in commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8, corrected the size computation by adding specialized EncodedSizeOfKey functions for TeMetadata and HttpSchemeMetadata that return zero for invalid values, preventing the faulty abort [2][3].

Impact

Successful exploitation causes the gRPC process to call abort(), immediately terminating the process. This results in a denial-of-service condition, as the affected gRPC service becomes unavailable. The vulnerability has high severity (CVSS 9.8) due to the low complexity, no privileges required, and network attack vector [1].

Mitigation

The vulnerability is fixed in gRPC versions 1.53 and later, as well as any build incorporating the commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8. Users are strongly recommended to upgrade to a patched version. No workarounds are documented; ensuring the latest stable gRPC release is the only reliable mitigation [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.grpc:grpc-protobufMaven	>= 1.51.0, < 1.53.0	1.53.0
grpcioPyPI	>= 1.51.0, < 1.53.0	1.53.0
grpcRubyGems	>= 1.51.0, < 1.53.0	1.53.0

Affected products

osv-coords16 versions
pkg:apk/chainguard/hive pkg:apk/chainguard/hive-compat pkg:apk/chainguard/stargate pkg:apk/chainguard/wavefront-proxy pkg:apk/chainguard/wavefront-proxy-compat pkg:apk/chainguard/wavefront-proxy-config pkg:apk/chainguard/wavefront-proxy-licenses pkg:apk/chainguard/wavefront-proxy-oci-entrypoint pkg:apk/wolfi/wavefront-proxy pkg:apk/wolfi/wavefront-proxy-compat pkg:apk/wolfi/wavefront-proxy-config pkg:apk/wolfi/wavefront-proxy-licenses pkg:apk/wolfi/wavefront-proxy-oci-entrypoint pkg:gem/grpc pkg:maven/io.grpc/grpc-protobuf pkg:pypi/grpcio
< 4.0.1-r1+ 15 more
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 1.0.78-r2
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: >= 1.51.0, < 1.53.0
- (no CPE)range: >= 1.51.0, < 1.53.0
- (no CPE)range: >= 1.51.0, < 1.53.0
Google/gRPCv5
Range: 1.51

Patches

2485fa94bd8a

[chttp2] Fix fuzzer found bug (#32507)

https://github.com/grpc/grpcCraig TillerMar 1, 2023via ghsa

commit

4 files changed · +37 −1

src/core/ext/transport/chttp2/transport/hpack_parser.cc+1 −1 modified

@@ -803,7 +803,7 @@ class HPackParser::Parser {
 
     template <typename Key, typename Value>
     void Encode(Key, const Value& value) {
-      AddToSummary(Key::key(), Key::Encode(value).size());
+      AddToSummary(Key::key(), EncodedSizeOfKey(Key(), value));
     }
 
    private:

src/core/lib/transport/metadata_batch.cc+11 −0 modified

@@ -168,6 +168,17 @@ StaticSlice HttpSchemeMetadata::Encode(ValueType x) {
   }
 }
 
+size_t EncodedSizeOfKey(HttpSchemeMetadata, HttpSchemeMetadata::ValueType x) {
+  switch (x) {
+    case HttpSchemeMetadata::kHttp:
+      return 4;
+    case HttpSchemeMetadata::kHttps:
+      return 5;
+    default:
+      return 0;
+  }
+}
+
 const char* HttpSchemeMetadata::DisplayValue(ValueType content_type) {
   switch (content_type) {
     case kHttp:

src/core/lib/transport/metadata_batch.h+21 −0 modified

@@ -49,6 +49,16 @@
 
 namespace grpc_core {
 
+// Given a metadata key and a value, return the encoded size.
+// Defaults to calling the key's Encode() method and then calculating the size
+// of that, but can be overridden for specific keys if there's a better way of
+// doing this.
+// May return 0 if the size is unknown/unknowable.
+template <typename Key>
+size_t EncodedSizeOfKey(Key, const typename Key::ValueType& value) {
+  return Key::Encode(value).size();
+}
+
 // grpc-timeout metadata trait.
 // ValueType is defined as Timestamp - an absolute timestamp (i.e. a
 // deadline!), that is converted to a duration by transports before being
@@ -90,6 +100,10 @@ struct TeMetadata {
   static const char* DisplayMemento(MementoType te) { return DisplayValue(te); }
 };
 
+inline size_t EncodedSizeOfKey(TeMetadata, TeMetadata::ValueType x) {
+  return x == TeMetadata::kTrailers ? 8 : 0;
+}
+
 // content-type metadata trait.
 struct ContentTypeMetadata {
   static constexpr bool kRepeatable = false;
@@ -140,6 +154,8 @@ struct HttpSchemeMetadata {
   }
 };
 
+size_t EncodedSizeOfKey(HttpSchemeMetadata, HttpSchemeMetadata::ValueType x);
+
 // method metadata trait.
 struct HttpMethodMetadata {
   static constexpr bool kRepeatable = false;
@@ -362,6 +378,11 @@ struct GrpcLbClientStatsMetadata {
   }
 };
 
+inline size_t EncodedSizeOfKey(GrpcLbClientStatsMetadata,
+                               GrpcLbClientStatsMetadata::ValueType) {
+  return 0;
+}
+
 // lb-token metadata
 struct LbTokenMetadata : public SimpleSliceBasedMetadata {
   static constexpr bool kRepeatable = false;

test/core/transport/chttp2/hpack_parser_corpus/clusterfuzz-testcase-minimized-hpack_parser_fuzzer-4859070937169920+4 −0 added
```
@@ -0,0 +1,4 @@
+frames {
+  max_metadata_length: 58
+  parse: "@\002te\000@\002te\002@\000et\000;e"
+}
```

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6628-q6j9-w8vgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1428ghsaADVISORY
github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8ghsaWEB
github.com/grpc/grpc/issues/33463ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-1428.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000