CVE-2023-32731
Description
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.grpc:grpc-protobufMaven | >= 1.53.0, < 1.53.1 | 1.53.1 |
grpcioPyPI | >= 1.53.0, < 1.53.1 | 1.53.1 |
grpcRubyGems | >= 1.53.0, < 1.53.1 | 1.53.1 |
grpcioPyPI | >= 1.54.0, < 1.54.2 | 1.54.2 |
grpcRubyGems | >= 1.54.0, < 1.54.2 | 1.54.2 |
io.grpc:grpc-protobufMaven | >= 1.54.0, < 1.54.2 | 1.54.2 |
Affected products
102- osv-coords101 versionspkg:apk/chainguard/calicopkg:apk/chainguard/calico-apiserverpkg:apk/chainguard/calico-app-policypkg:apk/chainguard/calico-cnipkg:apk/chainguard/calico-cni-compatpkg:apk/chainguard/calicoctlpkg:apk/chainguard/calico-felixpkg:apk/chainguard/calico-key-cert-provisionerpkg:apk/chainguard/calico-kube-controllerspkg:apk/chainguard/calico-nodepkg:apk/chainguard/calico-pod2daemonpkg:apk/chainguard/calico-pod2daemon-flexvol-compatpkg:apk/chainguard/calico-typha-clientpkg:apk/chainguard/calico-typhadpkg:apk/chainguard/hivepkg:apk/chainguard/hive-compatpkg:apk/chainguard/stargatepkg:apk/chainguard/wavefront-proxypkg:apk/chainguard/wavefront-proxy-compatpkg:apk/chainguard/wavefront-proxy-configpkg:apk/chainguard/wavefront-proxy-licensespkg:apk/chainguard/wavefront-proxy-oci-entrypointpkg:apk/wolfi/calicopkg:apk/wolfi/calico-apiserverpkg:apk/wolfi/calico-app-policypkg:apk/wolfi/calico-cnipkg:apk/wolfi/calico-cni-compatpkg:apk/wolfi/calicoctlpkg:apk/wolfi/calico-felixpkg:apk/wolfi/calico-key-cert-provisionerpkg:apk/wolfi/calico-kube-controllerspkg:apk/wolfi/calico-nodepkg:apk/wolfi/calico-pod2daemonpkg:apk/wolfi/calico-pod2daemon-flexvol-compatpkg:apk/wolfi/calico-typha-clientpkg:apk/wolfi/calico-typhadpkg:apk/wolfi/wavefront-proxypkg:apk/wolfi/wavefront-proxy-compatpkg:apk/wolfi/wavefront-proxy-configpkg:apk/wolfi/wavefront-proxy-licensespkg:apk/wolfi/wavefront-proxy-oci-entrypointpkg:gem/grpcpkg:maven/io.grpc/grpc-protobufpkg:pypi/grpciopkg:rpm/opensuse/abseil-cpp&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/abseil-cpp&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/abseil-cpp&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/opensuse/grpc&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/opencensus-proto&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/protobuf&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/protobuf&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/protobuf&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/opensuse/python-abseil&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-grpcio&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/re2&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP4pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP5pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/abseil-cpp&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5pkg:rpm/suse/abseil-cpp&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/grpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/grpc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/grpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/grpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/grpc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/grpc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/grpc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/grpc&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP4pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP4pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/protobuf&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/protobuf&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/python-abseil&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-grpcio&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/re2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/re2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/re2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/re2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP5pkg:rpm/suse/re2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/re2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/re2&distro=SUSE%20Manager%20Proxy%204.3
< 3.26.1-r5+ 100 more
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 1.0.78-r2
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 3.26.1-r5
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: < 13.4-r1
- (no CPE)range: >= 1.53.0, < 1.53.1
- (no CPE)range: >= 1.53.0, < 1.53.1
- (no CPE)range: >= 1.53.0, < 1.53.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 0.3.0+git.20200721-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 1.4.0-150400.9.3.1
- (no CPE)range: < 1.60.0-150400.9.3.2
- (no CPE)range: < 20240201-150400.9.3.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 20230802.1-150400.10.4.1
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 1.60.0-150400.8.3.2
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 25.1-150400.9.3.1
- (no CPE)range: < 1.4.0-150400.9.3.1
- (no CPE)range: < 1.60.0-150400.9.3.2
- (no CPE)range: < 20240201-150400.9.3.1
- (no CPE)range: < 20240201-150400.9.3.1
- (no CPE)range: < 20240201-150400.9.3.1
- (no CPE)range: < 20240201-150400.9.3.1
- (no CPE)range: < 20240201-150400.9.3.1
- (no CPE)range: < 20240201-150400.9.3.1
- (no CPE)range: < 20240201-150400.9.3.1
- Google/gRPCv5Range: 1.53
Patches
Vulnerability mechanics
References
10- github.com/grpc/grpc/pull/32309nvdPatchWEB
- github.com/grpc/grpc/pull/33005nvdPatchWEB
- github.com/advisories/GHSA-cfgp-2977-2fmmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32731ghsaADVISORY
- github.com/grpc/grpc/commit/29d8beee0ac2555773b2a2dda5601c74a95d6c10ghsaWEB
- github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946ghsaWEB
- github.com/grpc/grpc/issues/33463ghsaWEB
- github.com/grpc/grpc/releases/tag/v1.53.1ghsaWEB
- github.com/grpc/grpc/releases/tag/v1.54.2ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32731.ymlghsaWEB
News mentions
1- HTTP/1.1 must die: the desync endgamePortSwigger Research · Aug 6, 2025