=1.1.4 <1.2.3

Q: How to fix?

Upgrade github.com/mostynb/go-grpc-compression/internal/zstd to version 1.2.3 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-GOLANG-GITHUBCOMMOSTYNBGOGRPCCOMPRESSIONINTERNALZSTD-7247335
published12 Jun 2024
disclosed10 Jun 2024
creditMiroslav Stampar

Report a new vulnerability Found a mistake?

Introduced: 10 Jun 2024

CWE-400 (opens in a new tab)

How to fix?

Upgrade github.com/mostynb/go-grpc-compression/internal/zstd to version 1.2.3 or higher.

Overview

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the Decoder.DecodeAll function. An attacker can cause rapid memory usage increases by sending specially crafted gRPC requests.

Note: This is only exploitable if attackers can send gRPC payloads to users of the affected libraries.

Workaround

Other compression formats were not affected, users may consider switching from zstd to another format without upgrading to a newer release.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None