Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
@grpc/grpc-js can allocate memory for incoming messages well above configured limits
Vulnerability Description
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded; and/or if an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded. This has been patched in versions 1.10.9, 1.9.15, and 1.8.22.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
未经控制的内存分配
Vulnerability Title
gRPC 安全漏洞
Vulnerability Description
gRPC是gRPC开源的一种现代、开源、高性能的远程过程调用 (RPC) 框架。 gRPC 1.10.9、1.9.15 和 1.8.22 之前版本存在安全漏洞,该漏洞源于可以为传入消息分配远超出配置限制的内存。
CVSS Information
N/A
Vulnerability Type
N/A