GHSA-m425-mq94-257g: 
vulnerability analysis and mitigation

The gRPC-Go HTTP/2 Rapid Reset vulnerability (GHSA-m425-mq94-257g) is a high-severity security issue affecting gRPC-Go versions prior to 1.56.3, 1.57.1, and 1.58.3. The vulnerability was disclosed on October 25, 2023, and affects the gRPC-Go library, which is an open-source RPC framework. This vulnerability is part of a broader HTTP/2 Rapid Reset attack pattern identified as CVE-2023-44487 (GitHub Advisory).

The vulnerability allows attackers to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid according to the HTTP/2 protocol. This action causes the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with no privileges required (GitHub Advisory).

When exploited, this vulnerability can lead to excessive server resource consumption and potential denial of service. The attack allows each connection to have an indefinite number of requests in flight, bypassing normal concurrent stream limits. This creates an exploitable cost asymmetry between the server and the client, where the server must commit significant resources while the client expends minimal effort (GitHub Advisory).

The vulnerability has been patched in versions 1.56.3, 1.57.1, 1.58.3, and is included in version 1.59.0. Users are strongly advised to upgrade to these patched versions. Additionally, it is recommended to use the grpc.MaxConcurrentStreams server option to apply a limit to the server's resources used for any single connection. There are no known workarounds for this vulnerability other than applying the available patches (GitHub Advisory).