VYPR
Vendor

Grpc

Products
3
CVEs
13
Across products
13
Status
Private

Products

3

Recent CVEs

13
  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2017-9431CriJun 5, 2017
    risk 0.64cvss 9.8epss 0.02

    Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.

  • CVE-2017-8359CriApr 30, 2017
    risk 0.64cvss 9.8epss 0.02

    Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.

  • CVE-2017-7861CriApr 14, 2017
    risk 0.64cvss 9.8epss 0.03

    Google gRPC before 2017-02-22 has an out-of-bounds write related to the gpr_free function in core/lib/support/alloc.c.

  • CVE-2017-7860CriApr 14, 2017
    risk 0.64cvss 9.8epss 0.03

    Google gRPC before 2017-02-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the parse_unix function in core/ext/client_channel/parse_address.c.

  • CVE-2026-33186CriMar 20, 2026
    risk 0.52cvss 9.1epss 0.01

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path`…

  • CVE-2026-48068higJun 11, 2026
    risk 0.45cvss epss 0.00

    ### Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4 …

  • CVE-2026-48069higJun 11, 2026
    risk 0.45cvss epss 0.00

    ### Impact An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js ### Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 …

  • CVE-2024-37168MedJun 10, 2024
    risk 0.28cvss 5.3epss 0.01

    @grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length`…

  • CVE-2024-11407Nov 26, 2024
    risk 0.00cvss epss 0.01

    There exists a denial of service through Data corruption in gRPC-C++ - gRPC-C++ servers with transmit zero copy enabled through the channel arg GRPC_ARG_TCP_TX_ZEROCOPY_ENABLED can experience data corruption issues. The data sent by the application may be corrupted before…

  • CVE-2024-7246Aug 6, 2024
    risk 0.00cvss epss 0.00

    It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This…

  • CVE-2022-24777Mar 25, 2022
    risk 0.00cvss epss 0.01

    grpc-swift is the Swift language implementation of gRPC, a remote procedure call (RPC) framework. Prior to version 1.7.2, a grpc-swift server is vulnerable to a denial of service attack via a reachable assertion. This is due to incorrect logic when handling GOAWAY frames. The…

  • CVE-2020-7768Nov 11, 2020
    risk 0.00cvss epss 0.04

    The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.