GHSA-87m9-rv8p-rgmg: go-grpc-compression has a zstd decompression bombing vulnerability

June 10, 2024

A malicious user could cause a denial of service (DoS) when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases.

Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll function in github.com/klauspost/compress/zstd to decompress data provided by the peer. The vulnerability is exploitable only by attackers who can send gRPC payloads to users of github.com/mostynb/go-grpc-compression/zstd or github.com/mostynb/go-grpc-compression/nonclobbering/zstd.

References

github.com/advisories/GHSA-87m9-rv8p-rgmg
github.com/mostynb/go-grpc-compression
github.com/mostynb/go-grpc-compression/commit/629c44d3acb9624993cc7de629f47d72109e2ce5
github.com/mostynb/go-grpc-compression/security/advisories/GHSA-87m9-rv8p-rgmg

Code Behaviors & Features

Detect and mitigate GHSA-87m9-rv8p-rgmg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →