{"id":"GHSA-7v5v-9h63-cj86","summary":"@grpc/grpc-js can allocate memory for incoming messages well above configured limits","details":"### Impact\nThere are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option:\n\n 1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.\n 2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.\n\n### Patches\n\nThis has been patched in versions 1.10.9, 1.9.15, and 1.8.22\n","aliases":["CVE-2024-37168"],"modified":"2026-02-04T02:15:16.213384Z","published":"2024-06-10T21:38:05Z","related":["CGA-cgx6-xw9m-j37j"],"database_specific":{"cwe_ids":["CWE-789"],"github_reviewed_at":"2024-06-10T21:38:05Z","github_reviewed":true,"nvd_published_at":"2024-06-10T22:15:12Z","severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37168"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb"},{"type":"PACKAGE","url":"https://github.com/grpc/grpc-node"}],"affected":[{"package":{"name":"@grpc/grpc-js","ecosystem":"npm","purl":"pkg:npm/%40grpc/grpc-js"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.10.0"},{"fixed":"1.10.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json"}},{"package":{"name":"@grpc/grpc-js","ecosystem":"npm","purl":"pkg:npm/%40grpc/grpc-js"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.9.0"},{"fixed":"1.9.15"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json"}},{"package":{"name":"@grpc/grpc-js","ecosystem":"npm","purl":"pkg:npm/%40grpc/grpc-js"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.8.22"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}