{"id":"GO-2023-2153","summary":"Denial of service from HTTP/2 Rapid Reset in google.golang.org/grpc","details":"An attacker can send HTTP/2 requests, cancel them, and send subsequent requests. This is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit, grpc.MaxConcurrentStreams. This results in a denial of service due to resource consumption.","aliases":["GHSA-m425-mq94-257g"],"modified":"2026-03-17T04:49:02.994992Z","published":"2023-11-01T22:39:27Z","related":["CGA-qcrv-g9rg-9346","CVE-2023-44487"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-2153"},"references":[{"type":"WEB","url":"https://github.com/grpc/grpc-go/pull/6703"},{"type":"FIX","url":"https://github.com/grpc/grpc-go/commit/f2180b4d5403d2210b30b93098eb7da31c05c721"}],"affected":[{"package":{"name":"google.golang.org/grpc","ecosystem":"Go","purl":"pkg:golang/google.golang.org/grpc"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.56.3"},{"introduced":"1.57.0"},{"fixed":"1.57.1"},{"introduced":"1.58.0"},{"fixed":"1.58.3"}]}],"ecosystem_specific":{"imports":[{"symbols":["NewServerTransport"],"path":"google.golang.org/grpc/internal/transport"},{"symbols":["NewServer","Server.Serve","Server.initServerWorkers"],"path":"google.golang.org/grpc"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2153.json"}}],"schema_version":"1.7.5"}