🚨 Security Vulnerability: Uncontrolled Resource Consumption in @grpc/grpc-js (introduced via @google-cloud/pubsub & @google-cloud/logging-winston)

[ran2207]

Overview:
A security vulnerability (CVE-2024-37168) has been detected in @grpc/grpc-js, affecting projects that use @google-cloud/pubsub and @google-cloud/logging-winston. The vulnerability is related to uncontrolled resource consumption (CWE-789) and has a CVSS score of 6.9 (Medium severity).

Vulnerability Details:

• Package Affected: @grpc/grpc-js
• Introduced via:
  • @google-cloud/pubsub@4.4.0
  • @google-cloud/logging-winston@6.0.0
• CWE ID: [CWE-789](https://cwe.mitre.org/data/definitions/789.html)
• CVE ID: [CVE-2024-37168](https://nvd.nist.gov/vuln/detail/CVE-2024-37168)
• Exploit Maturity: No known exploits, but potential for excessive CPU/memory consumption.
• Fixed in Versions: @grpc/grpc-js@1.8.22, 1.9.15, 1.10.9

Impact:
This vulnerability can lead to uncontrolled resource consumption, which may degrade performance or cause availability issues under certain conditions.

Steps to Reproduce:

1. Install @google-cloud/pubsub@4.4.0 or @google-cloud/logging-winston@6.0.0.
2. Run npm audit or snyk test to detect the vulnerability.
3. Observe that @grpc/grpc-js is flagged with CVE-2024-37168.

Suggested Fix:

• Upgrade @grpc/grpc-js to 1.10.9 or higher in @google-cloud/pubsub and @google-cloud/logging-winston.
• If possible, remove unnecessary dependencies on vulnerable versions.

Next Steps:
Can you confirm if a patch is planned for upcoming releases of @google-cloud/pubsub and @google-cloud/logging-winston to use the latest safe version of @grpc/grpc-js?

Looking forward to your response. Thanks for your help!

[feywind]

The grpc-js dependency is pulled from gax, not directly, so it will need to wait for upgrading to Node 18 (gax itself has moved on to a new major). I'm expecting that to happen soon.

[feywind]

The Node 18 update (5.0.0) has moved us to grpc-js 1.13.3, so I'm going to consider this done.

Release notes for that update, fwiw