Description

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.

INFO

Published Date :

2024-06-10T21:32:06.403Z

Last Modified :

2024-08-02T03:50:55.550Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-37168 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-37168.

URL Resource
https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650 cve-icon cve-icon cve-icon
https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3 cve-icon cve-icon cve-icon
https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb cve-icon cve-icon cve-icon
https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86 cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-37168 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-37168 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact