CVE-2022-24777: Denial of Service via reachable assertion

June 9, 2023 (updated February 9, 2024)

A grpc-swift server is vulnerable to a denial of service attack via a reachable assertion. This was due to incorrect logic when handling GOAWAY frames.

The attack is low-effort: it takes very little resources to construct and send the required sequence of frames. The impact on availability is high as the server will crash, dropping all in flight connections and requests.

The issue was discovered by automated fuzz testing and is resolved by fixing the relevant state handling code.

References

github.com/advisories/GHSA-r6ww-5963-7r95
github.com/grpc/grpc-swift
github.com/grpc/grpc-swift/commit/858f977f2a51fca2292f384cf7a108dc2e73a3bd
github.com/grpc/grpc-swift/security/advisories/GHSA-r6ww-5963-7r95
nvd.nist.gov/vuln/detail/CVE-2022-24777

Detect and mitigate CVE-2022-24777 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →