High severityOSV Advisory· Published Apr 24, 2025· Updated Apr 15, 2026
CVE-2025-43855
CVE-2025-43855
Description
tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@trpc/servernpm | >= 11.0.0, < 11.1.1 | 11.1.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-pj3v-9cm8-gvj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43855ghsaADVISORY
- github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.tsghsaWEB
- github.com/trpc/trpc/commit/9beb26c636d44852e0f407f3d7a82ad54df65b4dnvdWEB
- github.com/trpc/trpc/pull/5839ghsaWEB
- github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8nvdWEB
News mentions
0No linked articles in our index yet.