grpc-spring icon indicating copy to clipboard operation
grpc-spring copied to clipboard
verified publisher icon grpc-ecosystem

[SECURITY] Project vulnerable due to grpc-netty-shaded dependency (CVE-2025-55163)

Open apodznoev opened this issue 3 months ago • 3 comments

The context

The project appears to be affected by CVE-2025-55163, which impacts the io.grpc:grpc-netty-shaded dependency transitively brought by io.grpc .

Dependency Reference: The vulnerable dependency is introduced at: https://github.com/grpc-ecosystem/grpc-spring/blob/master/build.gradle#L14C9-L14C20 with version 1.63.0 and with the vulnerability is fixed in 1.75.0

Impact: The referenced CVE describes a vulnerability that could allow attackers to exploit network traffic processed by grpc-netty-shaded, potentially leading to denial of service or other security issues.

Remediation Update io.grpc:grpc-bom to the patched version 1.75.0 as recommended in the advisory.

apodznoev avatar Oct 06 '25 06:10 apodznoev

@apodznoev https://github.com/grpc-ecosystem/grpc-spring/issues/1185

backnight avatar Nov 02 '25 22:11 backnight

if we replace the transitive dependency io.grpc:grpc-netty-shaded to explicitly use 1.75.0 (or higher) would there be any issues?

dlegaspi-ias avatar Dec 06 '25 00:12 dlegaspi-ias

We did at our own risk the replacement to 1.75.0 and except for a few compilation issues everything is running well in our case.

apodznoev avatar Dec 06 '25 08:12 apodznoev