google.golang.org/grpc-v1.60.1: 3 vulnerabilities (highest severity is: 7.5)

[mend-bolt-for-github]

Vulnerable Library - google.golang.org/grpc-v1.60.1

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (google.golang.org/grpc-v1.60.1 version)	Remediation Possible**
CVE-2023-45288	High	7.5	golang.org/x/net-v0.21.0	Transitive	N/A*	❌
CVE-2024-45338	Medium	5.3	golang.org/x/net-v0.21.0	Transitive	N/A*	❌
CVE-2025-22870	Medium	4.4	golang.org/x/net-v0.21.0	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-45288

Vulnerable Library - golang.org/x/net-v0.21.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod

Dependency Hierarchy:

• google.golang.org/grpc-v1.60.1 (Root Library)
  • ❌ golang.org/x/net-v0.21.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Publish Date: 2024-04-04

URL: CVE-2023-45288

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-10-06

Fix Resolution: golang/net - v0.23.0

Step up your Open Source Security Game with Mend here

CVE-2024-45338

Vulnerable Library - golang.org/x/net-v0.21.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod

Dependency Hierarchy:

• google.golang.org/grpc-v1.60.1 (Root Library)
  • ❌ golang.org/x/net-v0.21.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Publish Date: 2024-12-18

URL: CVE-2024-45338

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-12-18

Fix Resolution: github.com/golang/net-v0.33.0

Step up your Open Source Security Game with Mend here

CVE-2025-22870

Vulnerable Library - golang.org/x/net-v0.21.0

Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.21.0.zip

Path to dependency file: /capten/go.mod

Path to vulnerable library: /go/pkg/mod/cache/download/golang.org/x/net/@v/v0.21.0.mod

Dependency Hierarchy:

• google.golang.org/grpc-v1.60.1 (Root Library)
  • ❌ golang.org/x/net-v0.21.0 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Go net/http, x/net/proxy, x/net/http/httpproxy there is a proxy bypass vulnerability using IPv6 zone IDs. Matching of hosts against proxy patterns could improperly treat an IPv6 zone ID
as a hostname component. For example, when the NO_PROXY environment variable was
set to "*.example.com", a request to "[::1%25.example.com]:80` would incorrectly
match and not be proxied. This affects versions before 1.23.7 and 1.24.x before 1.24.1.

Publish Date: 2025-03-12

URL: CVE-2025-22870

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qxp5-gwg8-xv66

Release Date: 2025-03-12

Fix Resolution: 0.36.0

Step up your Open Source Security Game with Mend here