VulnerableCode Package Details - pkg:pypi/grpcio@1.53.0rc2

Search for packages

Vulnerability	Summary	Fixed by
VCID-9rmn-3anf-fqcm Aliases: CVE-2023-33953 GHSA-496j-2rq6-j6cc	Excessive Iteration in gRPC gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…	1.53.2 Affected by 0 other vulnerabilities. 1.54.3 Affected by 0 other vulnerabilities. 1.55.2 Affected by 0 other vulnerabilities. 1.55.3 Affected by 0 other vulnerabilities. 1.56.2 Affected by 0 other vulnerabilities.
VCID-qatb-my8j-b3hr Aliases: CVE-2023-1428 GHSA-6628-q6j9-w8vg	gRPC Reachable Assertion issue There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.	1.53.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-9rmn-3anf-fqcm
Aliases:
CVE-2023-33953
GHSA-496j-2rq6-j6cc

Excessive Iteration in gRPC gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so that the following sequence of frames could cause infinite buffering: HEADERS: containing a: 1 CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…

1.53.2
Affected by 0 other vulnerabilities.

1.54.3
Affected by 0 other vulnerabilities.

1.55.2
Affected by 0 other vulnerabilities.

1.55.3
Affected by 0 other vulnerabilities.

1.56.2
Affected by 0 other vulnerabilities.

VCID-qatb-my8j-b3hr
Aliases:
CVE-2023-1428
GHSA-6628-q6j9-w8vg

gRPC Reachable Assertion issue There exists an vulnerability causing an abort() to be called in gRPC. The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

1.53.0
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:35:59.606915+00:00	GitLab Importer	Affected by	VCID-9rmn-3anf-fqcm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/grpcio/CVE-2023-33953.yml	38.4.0
2026-04-16T22:33:24.837280+00:00	GitLab Importer	Affected by	VCID-qatb-my8j-b3hr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/grpcio/CVE-2023-1428.yml	38.4.0
2026-04-11T23:55:11.943114+00:00	GitLab Importer	Affected by	VCID-9rmn-3anf-fqcm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/grpcio/CVE-2023-33953.yml	38.3.0
2026-04-11T23:52:21.627598+00:00	GitLab Importer	Affected by	VCID-qatb-my8j-b3hr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/grpcio/CVE-2023-1428.yml	38.3.0
2026-04-02T23:58:19.101826+00:00	GitLab Importer	Affected by	VCID-9rmn-3anf-fqcm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/grpcio/CVE-2023-33953.yml	38.1.0
2026-04-02T23:55:33.740984+00:00	GitLab Importer	Affected by	VCID-qatb-my8j-b3hr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/grpcio/CVE-2023-1428.yml	38.1.0