Browse all 4 CVE security advisories affecting grpc. AI-powered Chinese analysis, POCs, and references for each vulnerability.
gRPC serves as a high-performance RPC framework enabling efficient communication between microservices. Historically, vulnerabilities have included remote code execution, denial-of-service, and authentication bypass flaws, with four CVEs currently documented. The framework's use of HTTP/2 and Protocol Buffers introduces potential attack surfaces in header parsing and service method exposure. While no major incidents have been widely reported, security researchers have identified issues in implementations affecting multiple vendors. Its strict typing and contract-first design offer some inherent security benefits, but misconfigurations remain a common risk factor in production deployments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33186 | gRPC-Go has an authorization bypass via missing leading slash in :path — grpc-goCWE-285 | 9.1 | Critical | 2026-03-20 |
| CVE-2024-11407 | Denial of Service through Data corruption in gRPC-C++ — gRPC-C++CWE-682 | 7.5AI | HighAI | 2024-11-26 |
| CVE-2024-37168 | @grpc/grpc-js can allocate memory for incoming messages well above configured limits — grpc-nodeCWE-789 | 5.3 | Medium | 2024-06-10 |
| CVE-2022-24777 | Denial of Service via reachable assertion in grpc-swift — grpc-swiftCWE-617 | 7.5 | High | 2022-03-25 |
This page lists every published CVE security advisory associated with grpc. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.