CVE-2025-43855: 
JavaScript vulnerability analysis and mitigation

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1 (MITRE, GitHub Advisory).

The vulnerability exists in the connectionParams logic introduced in the WebSocket implementation. During validation, if the object does not match an expected shape, an error is thrown in the parseConnectionParams function. While there is error handling in createCtxPromise() to catch errors and pass them to the opts.onError handler, the handler then rethrows the error. Since this is triggered from the WebSocket message event with no higher level error handling, it causes an uncaught exception and crashes the server process. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

When successfully exploited, this vulnerability allows an unauthenticated remote attacker to cause a denial of service by crashing any tRPC 11 WebSocket server. The impact is particularly severe as it affects the availability of the server process itself, requiring a restart to restore service (GitHub Advisory).

The vulnerability has been fixed in tRPC version 11.1.1. Users should upgrade to this version or later to address the issue. The fix involves removing the error re-throw after it has been handled, preventing the uncaught exception that causes the server crash (GitHub Advisory).