github.com/vonage/gosrvlib-v1.107.4: 1 vulnerabilities (highest severity is: 9.1) #393
Description
Vulnerable Library - github.com/vonage/gosrvlib-v1.107.4
Path to dependency file: /examples/service/go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/google.golang.org/grpc/@v/v1.75.1.mod,/home/wss-scanner/go/pkg/mod/cache/download/google.golang.org/grpc/@v/v1.75.1.mod
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (github.com/vonage/gosrvlib-v1.107.4 version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2026-33186 |  Critical |
9.1 | Not Defined | google.golang.org/grpc-v1.75.1 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-33186
Vulnerable Library - google.golang.org/grpc-v1.75.1
The Go language implementation of gRPC. HTTP/2 based RPC
Library home page: https://proxy.golang.org/google.golang.org/grpc/@v/v1.75.1.zip
Path to dependency file: /go.mod
Path to vulnerable library: /home/wss-scanner/go/pkg/mod/cache/download/google.golang.org/grpc/@v/v1.75.1.mod,/home/wss-scanner/go/pkg/mod/cache/download/google.golang.org/grpc/@v/v1.75.1.mod
Dependency Hierarchy:
- github.com/vonage/gosrvlib-v1.107.4 (Root Library)
- github.com/spf13/viper/remote-v1.21.0
- github.com/sagikazarmark/crypt-v0.31.0
- ❌ google.golang.org/grpc-v1.75.1 (Vulnerable Library)
- github.com/sagikazarmark/crypt-v0.31.0
- github.com/spf13/viper/remote-v1.21.0
Found in base branch: main
Vulnerability Details
Impact What kind of vulnerability is it? Who is impacted? It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 ":path" pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the ":path" omitted the mandatory leading slash (e.g., "Service/Method" instead of "/Service/Method"). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official "grpc/authz" package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with "/") failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. Who is impacted? This affects gRPC-Go servers that meet both of the following criteria: 1. They use path-based authorization interceptors, such as the official RBAC implementation in "google.golang.org/grpc/authz" or custom interceptors relying on "info.FullMethod" or "grpc.Method(ctx)". 2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed ":path" headers directly to the gRPC server. Patches Has the problem been patched? What versions should users upgrade to? Yes, the issue has been patched. The fix ensures that any request with a ":path" that does not start with a leading slash is immediately rejected with a "codes.Unimplemented" error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): * v1.79.3 * The latest master branch. It is recommended that all users employing path-based authorization (especially "grpc/authz") upgrade as soon as the patch is available in a tagged release. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the ":path" header does not start with a leading slash. 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.
Publish Date: 2026-03-18
URL: CVE-2026-33186
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-p77j-4mvh-x3m3
Release Date: 2026-03-18
Fix Resolution: google.golang.org/grpc - 1.79.3