GHSA-8g29-8xwr-qmhr: @grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling
JSON.parse(env.adapterConfig) is called without error handling in three locations within the gRPC service. While the data originates from the server’s own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler.
Additionally, the parsed result is cast as Record<string, unknown> and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised.
Affected code:
packages/server/src/grpc-service.ts:415—reconnectOrProvisionhandlerpackages/server/src/grpc-service.ts:482—stopEnvironmenthandlerpackages/server/src/grpc-service.ts:498—destroyEnvironmenthandler
References
Code Behaviors & Features
Detect and mitigate GHSA-8g29-8xwr-qmhr with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →