CVE-2024-7246

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/grpc/grpc/issues/36245	Exploit Issue Tracking Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:grpc:grpc::::::-::*
	cpe:2.3:a:grpc:grpc::::::-::*
	cpe:2.3:a:grpc:grpc::::::-::*
	cpe:2.3:a:grpc:grpc::::::-::*
	cpe:2.3:a:grpc:grpc::::::-::*
	cpe:2.3:a:grpc:grpc::::::-::*
	cpe:2.3:a:grpc:grpc::::::-::*
	cpe:2.3:a:grpc:grpc::::::-::*

History

22 Jul 2025, 19:29

Type	Values Removed	Values Added
First Time		Grpc Grpc grpc
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
References	~~() https://github.com/grpc/grpc/issues/36245 -~~	() https://github.com/grpc/grpc/issues/36245 - Exploit, Issue Tracking, Patch
CPE		cpe:2.3:a:grpc:grpc::::::-::*
CWE		NVD-CWE-noinfo

Information

Published : 2024-08-06 11:16

Updated : 2025-07-22 19:29

NVD link : CVE-2024-7246

Mitre link : CVE-2024-7246

CVE.ORG link : CVE-2024-7246

JSON object : View

Products Affected

grpc

grpc

CWE

CWE-440

Expected Behavior Violation

NVD-CWE-noinfo

{"id": "CVE-2024-7246", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-08-06T11:16:07.587", "references": [{"url": "https://github.com/grpc/grpc/issues/36245", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-440"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.\n\nThis occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.\n\nPlease update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4."}, {"lang": "es", "value": "Es posible que un cliente gRPC que se comunica con un proxy HTTP/2 envenene la tabla HPACK entre el proxy y el backend de modo que otros clientes vean solicitudes fallidas. Tambi\u00e9n es posible utilizar esta vulnerabilidad para filtrar claves de encabezado HTTP de otros clientes, pero no valores. Esto ocurre porque el estado de error de un encabezado mal codificado no se borra entre lecturas de encabezado, lo que da como resultado que los encabezados agregados posteriores (indexados incrementalmente) en la primera solicitud se envenenen hasta que se eliminen de la tabla HPACK. Actualice a una versi\u00f3n fija de gRPC lo antes posible. Este error se solucion\u00f3 en 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4."}], "lastModified": "2025-07-22T19:29:58.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "E7E19921-E4A2-4128-A0F5-580BE8C27269", "versionEndExcluding": "1.58.3"}, {"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "DAA7F2A3-FAF9-4547-A83E-B1C26C6AE04C", "versionEndExcluding": "1.59.5", "versionStartIncluding": "1.59.0"}, {"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "ADAE911C-72D1-4158-91AC-E837027123E9", "versionEndExcluding": "1.60.2", "versionStartIncluding": "1.60.0"}, {"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "CD0A981B-0EF3-4FD4-BB2E-1FEAD305CAC5", "versionEndExcluding": "1.61.3", "versionStartIncluding": "1.61.0"}, {"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "2D2DBAB4-8FBE-488A-A386-3B8DA42997EF", "versionEndExcluding": "1.62.3", "versionStartIncluding": "1.62.0"}, {"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "0209CF13-5E06-4C28-8BCE-7AC39A9E5A84", "versionEndExcluding": "1.63.2", "versionStartIncluding": "1.63.0"}, {"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "2299F33C-A39B-410F-82BB-BE0341084908", "versionEndExcluding": "1.64.3", "versionStartIncluding": "1.64.0"}, {"criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*", "vulnerable": true, "matchCriteriaId": "BD0C0367-33F4-4EAE-A183-38F0F009AE21", "versionEndExcluding": "1.65.4", "versionStartIncluding": "1.65.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}