CVE-2024-47609: 
Rust vulnerability analysis and mitigation

CVE-2024-47609 affects Tonic, a native gRPC client & server implementation with async/await support. The vulnerability was discovered and disclosed on October 1, 2024, affecting versions 0.12.0 through 0.12.2. When using tonic::transport::Server, there exists a remote Denial of Service (DoS) vulnerability that can cause the server to exit cleanly upon accepting a TCP/TLS stream (GitHub Advisory).

The vulnerability occurs when the accept call errors out with specific error conditions that were not properly handled, causing the accept loop to exit. The issue is specifically related to error handling in the incoming socket stream. The CVSS v4.0 score is 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Green. The vulnerability is classified under CWE-755 (Improper Handling of Exceptional Conditions) (NVD).

The vulnerability allows remote attackers to cause a denial of service condition by triggering specific error conditions during TCP/TLS stream acceptance. When successfully exploited, the server process exits cleanly without any error messages, potentially disrupting service availability (GitHub Issue).

The primary mitigation is to upgrade to Tonic version 0.12.3 or later, which contains the fix for this vulnerability. As a workaround, users can implement a custom accept loop if upgrading is not immediately possible (GitHub Advisory).