VYPR
← All advisories
High severityNVD Advisory· Published Sep 13, 2023· Updated Jan 12, 2026

Denial of Service in gRPC Core

CVE-2023-4785

Description

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Google gRPC C++, Python, and Ruby (>=1.23 on POSIX) lack error handling for file descriptors, enabling denial of service via many connections.

Vulnerability

CVE-2023-4785 is a denial-of-service vulnerability in Google's gRPC framework, affecting versions 1.23 and later on POSIX-compatible platforms such as Linux. The root cause is a lack of proper error handling in the TCP server when the system runs out of file descriptors due to accepting a large number of concurrent connections. [1]

Exploitation

An attacker can exploit this by initiating numerous connections to a vulnerable gRPC server, exhausting the server's file descriptor limit. This condition does not require authentication and can be performed over any reachable network. The affected languages are C++, Python, and Ruby; notably, gRPC implementations in Java and Go are not vulnerable due to differing underlying architectures. [1]

Impact

Successful exploitation results in a denial of service, rendering the gRPC server unable to accept new connections or perform legitimate operations. The server may crash or become unresponsive, disrupting dependent services. [1]

Mitigation

The gRPC project has addressed this issue through backported patches in pull requests improving server handling of file descriptor exhaustion for the affected versions. [2][3][4] Users should update to the latest patched release for their language and platform.

References
  1. NVD - CVE-2023-4785
  2. [backport][iomgr][EventEngine] Improve server handling of file descriptor exhaustion by drfloob · Pull Request #33672 · grpc/grpc
  3. [backport][iomgr][EventEngine] Improve server handling of file descriptor exhaustion by drfloob · Pull Request #33669 · grpc/grpc
  4. [backport][iomgr][EventEngine] Improve server handling of file descriptor exhaustion by drfloob · Pull Request #33670 · grpc/grpc

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
grpcRubyGems
>= 1.56.0, < 1.56.21.56.2
grpcRubyGems
>= 1.55.0, < 1.55.31.55.3
grpcRubyGems
>= 1.54.0, < 1.54.31.54.3
grpcRubyGems
>= 1.53.0, < 1.53.21.53.2
grpcioPyPI
>= 1.55.0, < 1.55.31.55.3
grpcioPyPI
>= 1.54.0, < 1.54.31.54.3
grpcioPyPI
>= 1.53.0, < 1.53.21.53.2

Affected products

68

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.