VYPR
← All advisories
High severityNVD Advisory· Published Aug 9, 2023· Updated Sep 27, 2024

Denial-of-Service in gRPC

CVE-2023-33953

Description

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks:

  • Unbounded memory buffering in the HPACK parser
  • Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

  • The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb.
  • HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse.
  • gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

gRPC's HPACK parser contains multiple bugs leading to unbounded memory and CPU consumption, enabling denial-of-service attacks via crafted HTTP/2 headers.

Vulnerability

Overview

CVE-2023-33953 is a denial-of-service (DoS) vulnerability in gRPC's HPACK parser, stemming from three distinct vectors that cause either unbounded memory buffering or unbounded CPU consumption [2]. The root cause involves HPACK table accounting errors combined with per-frame metadata overflow checks that do not limit total buffering across continuation frames [1][2].

Exploitation

Vectors

Exploitation is client-initiated. Three specific bugs contribute: (1) The header size limit check occurs after string buffering, allowing a 4 GB string to be buffered before rejection; (2) HPACK varint encoding permits infinite leading zeros, forcing the parser to read them all; (3) The metadata overflow check is per-frame, so a sequence of HEADERS and CONTINUATION frames can each add data without reaching a global limit, enabling infinite buffering [1][2]. Additionally, unbounded CPU consumption results from an O(n²) parsing loop driven by the memory buffering bugs [2].

Impact

An unauthenticated attacker can cause excessive memory and CPU usage on the target gRPC server or client, leading to unwanted disconnects and service unavailability. No authentication or special network position is required beyond the ability to send HTTP/2 frames [1][2][3].

Mitigation

Status

Patches are available. Version 1.53.2, 1.54.3, 1.55.2, and 1.56.2 contain fixes [3]. Users should upgrade to the latest patched release. No workarounds are documented, but limiting HPACK table sizes and employing connection-level rate limiting can reduce risk.

References
  1. Security Bulletins
  2. NVD - CVE-2023-33953
  3. CVE-2023-33953 - GitHub Advisory Database

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
grpcioPyPI
< 1.53.21.53.2
grpcioPyPI
>= 1.54.0, < 1.54.31.54.3
grpcioPyPI
>= 1.55.0, < 1.55.21.55.2
grpcioPyPI
>= 1.56.0, < 1.56.21.56.2
grpcRubyGems
< 1.53.21.53.2
grpcRubyGems
>= 1.54.0, < 1.54.31.54.3
grpcRubyGems
>= 1.55.0, < 1.55.21.55.2
grpcRubyGems
>= 1.56.0, < 1.56.21.56.2

Affected products

69

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.