Security Vulnerability: Uncontrolled Resource Consumption in @grpc/grpc-js (introduced via @google-cloud/pubsub & @google-cloud/logging-winston) #866
Assignees
Labels
api: logging
Issues related to the googleapis/nodejs-logging-winston API.
Comments
product-auto-label
bot
added
the
api: logging
sofisl
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview:
A security vulnerability (GHSA-7v5v-9h63-cj86) has been detected in @grpc/grpc-js, affecting projects that use @google-cloud/pubsub and @google-cloud/logging-winston. The vulnerability is related to uncontrolled resource consumption (CWE-789) and has a CVSS score of 6.9 (Medium severity).
Vulnerability Details:
Package Affected: @grpc/grpc-js
Introduced via:
@google-cloud/[email protected]
@google-cloud/[email protected]
CWE ID: [CWE-789](https://cwe.mitre.org/data/definitions/789.html)
CVE ID: [CVE-2024-37168](https://nvd.nist.gov/vuln/detail/CVE-2024-37168)
Exploit Maturity: No known exploits, but potential for excessive CPU/memory consumption.
Fixed in Versions: @grpc/[email protected], 1.9.15, 1.10.9
Impact:
This vulnerability can lead to uncontrolled resource consumption, which may degrade performance or cause availability issues under certain conditions.
Steps to Reproduce:
Install @google-cloud/[email protected] or @google-cloud/[email protected].
Run npm audit or snyk test to detect the vulnerability.
Observe that @grpc/grpc-js is flagged with GHSA-7v5v-9h63-cj86.
Suggested Fix:
Upgrade @grpc/grpc-js to 1.10.9 or higher in @google-cloud/pubsub and @google-cloud/logging-winston.
If possible, remove unnecessary dependencies on vulnerable versions.
Next Steps:
Can you confirm if a patch is planned for upcoming releases of @google-cloud/pubsub and @google-cloud/logging-winston to use the latest safe version of @grpc/grpc-js?
Looking forward to your response. Thanks for your help!
cc@ran2207
The text was updated successfully, but these errors were encountered: