CVE-2024-37168: 
JavaScript vulnerability analysis and mitigation

@grpc/grps-js, which implements the core functionality of gRPC purely in JavaScript without a C++ addon, was found to have a vulnerability affecting versions prior to 1.10.9, 1.9.15, and 1.8.22. The vulnerability was discovered and disclosed on June 10, 2024, and involves memory allocation issues with message handling (GitHub Advisory).

The vulnerability involves two distinct code paths where memory can be allocated per message exceeding the grpc.max_receive_message_length channel option: 1) When an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before being discarded, and 2) When an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory and not discarded on the server. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

The vulnerability can lead to excessive memory allocation on systems running the affected versions of @grpc/grps-js, potentially causing denial of service conditions through resource exhaustion. This is particularly impactful as it bypasses the intended memory usage limitations set by the grpc.max_receive_message_length parameter (GitHub Advisory).

The vulnerability has been patched in versions 1.10.9, 1.9.15, and 1.8.22. Users are advised to upgrade to these or later versions to mitigate the vulnerability (GitHub Advisory).