Security: CVE-2023-44487 - google.golang.org/grpc v1.53.0 vulnerable to HTTP/2 Rapid Reset Attack

[antigenius0910]

Vulnerability

CVE-2023-44487 — HTTP/2 Rapid Reset Attack
Reference: https://www.cve.org/CVERecord?id=CVE-2023-44487

Affected Component

google.golang.org/grpc v1.53.0 is pinned as an indirect dependency in go.mod.
All versions < 1.56.3 are vulnerable.

Impact

An attacker can exploit the HTTP/2 Rapid Reset mechanism to cause a denial-of-service condition against any server using an affected gRPC version. This is a high-severity, widely-exploited vulnerability (CVSS 7.5).

Analysis

google.golang.org/grpc is not directly imported by project source files — it is a transitive dependency pulled in by:

• cloud.google.com/go/bigquery
• cloud.google.com/go/pubsub
• google.golang.org/api
• google.golang.org/genproto

Fix

Upgrade google.golang.org/grpc to >= v1.56.3. Because of Go's MVS (Minimum Version Selection), this requires co-upgrading the above Google Cloud ecosystem packages for compatibility:

Package	Before	After
google.golang.org/grpc	v1.53.0	v1.56.3
cloud.google.com/go/bigquery	v1.44.0	v1.50.0
cloud.google.com/go/pubsub	v1.28.0	v1.30.0
google.golang.org/api	v0.107.0	v0.114.0
google.golang.org/genproto	20230110	20230410

go build ./... passes after the upgrade.

Pull Request

A fix is available in: #244

[antigenius0910]

@resmoio when you have time. thanks