All gRPC-Go CVEs — Complete Vulnerability History
gRPC-Go is Go's gRPC implementation. CVE-2023-44487 (HTTP/2 Rapid Reset) affected it severely — the patch was released the same day as the coordinated disclosure and CISA KEV addition.
Go
N/A weekly downloads
2 CVEs total
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-32731 | 2023 | HIGH | Information disclosure via gRPC metadata | Fixed v1.55.0 |
| CVE-2023-44487 | 2023 | 🔴HIGH | HTTP/2 Rapid Reset DoS — CISA KEV | Fixed v1.58.3 |
Current safe version: v1.58.3
# Before
"google.golang.org/grpc v1.50.0"
# After
"google.golang.org/grpc v1.58.3"
Then run: go mod tidy
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What is the HTTP/2 Rapid Reset attack?
An attacker opens many HTTP/2 streams and immediately cancels them with RST_STREAM frames. The server allocates resources for each stream before the cancel arrives — leading to resource exhaustion. At scale this achieved 398 million requests/second in real attacks.
Does this affect gRPC servers and clients?
Primarily servers — the server is the one allocating resources. Clients are less affected. Update your gRPC-Go server deployments first.