CVE-2025-43855

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.

CVSS

No CVSS.

References

Link	Resource
https://github.com/trpc/trpc/commit/9beb26c636d44852e0f407f3d7a82ad54df65b4d
https://github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8

Configurations

No configuration.

History

29 Apr 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) tRPC permite a los usuarios crear y usar API con seguridad de tipos sin esquemas ni generación de código. En versiones anteriores a la 11.0.0 y anteriores a la 11.1.1, se genera un error no controlado al validar parámetros de conexión no válidos, lo que provoca el colapso de un servidor WebSocket tRPC. Esto permite que cualquier usuario no autenticado bloquee un servidor WebSocket tRPC 11. Cualquier servidor tRPC 11 con WebSocket habilitado y el método createContext establecido es vulnerable. Este problema se ha corregido en la versión 11.1.1.

24 Apr 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-24 14:15

Updated : 2025-04-29 13:52

NVD link : CVE-2025-43855

Mitre link : CVE-2025-43855

CVE.ORG link : CVE-2025-43855

JSON object : View

Products Affected

No product.

CWE

CWE-248

Uncaught Exception

{"id": "CVE-2025-43855", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-24T14:15:59.483", "references": [{"url": "https://github.com/trpc/trpc/commit/9beb26c636d44852e0f407f3d7a82ad54df65b4d", "source": "security-advisories@github.com"}, {"url": "https://github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-248"}]}], "descriptions": [{"lang": "en", "value": "tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1."}, {"lang": "es", "value": "tRPC permite a los usuarios crear y usar API con seguridad de tipos sin esquemas ni generaci\u00f3n de c\u00f3digo. En versiones anteriores a la 11.0.0 y anteriores a la 11.1.1, se genera un error no controlado al validar par\u00e1metros de conexi\u00f3n no v\u00e1lidos, lo que provoca el colapso de un servidor WebSocket tRPC. Esto permite que cualquier usuario no autenticado bloquee un servidor WebSocket tRPC 11. Cualquier servidor tRPC 11 con WebSocket habilitado y el m\u00e9todo createContext establecido es vulnerable. Este problema se ha corregido en la versi\u00f3n 11.1.1."}], "lastModified": "2025-04-29T13:52:47.470", "sourceIdentifier": "security-advisories@github.com"}