CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:L/SA:L
AI Score
Confidence
Low
EPSS
Percentile
9.5%
It’s possible for a gRPC client communicating with a HTTP/2 proxy to poison
the HPACK table between the proxy and the backend such that other clients
see failed requests. It’s also possible to use this vulnerability to leak
other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared
between header reads, resulting in subsequent (incrementally indexed) added
headers in the first request being poisoned until cleared from the HPACK
table.
Please update to a fixed version of gRPC as soon as possible. This bug has
been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3,
1.65.4.