Impact
An attacker can bypass authorization mechanisms to access restricted gRPC services and methods [S1]. This could lead to unauthorized data access, modification, or execution of administrative functions depending on the exposed gRPC service [S1].
Root Cause
The root cause is improper input validation of the HTTP/2 :path pseudo-header in the gRPC-Go server implementation [S1]. In versions prior to 1.79.3, the server's routing logic was overly lenient [S1]. Specifically, it failed to correctly handle or reject requests where the :path header was omitted, leading to incorrect routing decisions that bypassed security interceptors or authorization checks [S1].
Technical Details
gRPC relies on the HTTP/2 protocol, where the :path pseudo-header typically contains the service and method name [S1]. Authorization plugins and interceptors often use this path to determine if a user has the required permissions [S1]. By crafting a request that exploits the server's leniency in validating this header, an attacker can cause the server to process a request that should have been blocked by the authorization layer [S1].
How FixVibe could detect it
FixVibe could detect this vulnerability through its active probing engine by performing the following checks:
- Version Fingerprinting: Identifying the gRPC-Go server version via analysis of response behaviors [S1].
- Malformed HTTP/2 Probes: Sending specially crafted HTTP/2 frames to the gRPC endpoint that omit the
:pathpseudo-header to observe if the server incorrectly routes the request [S1]. - Dependency Scanning: Identifying vulnerable versions of
google.golang.org/grpcin project manifest files [S1].
Fix
Update gRPC-Go to version 1.79.3 or later to ensure proper validation of HTTP/2 pseudo-headers and correct routing logic [S1].
