VYPR
High severity7.4NVD Advisory· Published Jun 9, 2023· Updated Jun 17, 2026

CVE-2023-32731

CVE-2023-32731

Description

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in  https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.grpc:grpc-protobufMaven
>= 1.53.0, < 1.53.11.53.1
grpcioPyPI
>= 1.53.0, < 1.53.11.53.1
grpcRubyGems
>= 1.53.0, < 1.53.11.53.1
grpcioPyPI
>= 1.54.0, < 1.54.21.54.2
grpcRubyGems
>= 1.54.0, < 1.54.21.54.2
io.grpc:grpc-protobufMaven
>= 1.54.0, < 1.54.21.54.2

Affected products

102

Patches

Vulnerability mechanics

References

10

News mentions

1