CVE-2024-8391: Vertx gRPC server does not limit the maximum message size

September 4, 2024

In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client).

This is fixed in the 4.5.10 version.

Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)

References

github.com/advisories/GHSA-g76f-gjfx-4rpr
github.com/eclipse-vertx/vertx-grpc
github.com/eclipse-vertx/vertx-grpc/commit/a76b14a92410c89fcc590c5852d800b565916ccf
github.com/eclipse-vertx/vertx-grpc/issues/113
gitlab.eclipse.org/security/cve-assignement/-/issues/31
nvd.nist.gov/vuln/detail/CVE-2024-8391

Detect and mitigate CVE-2024-8391 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →