CVE-2025-43855:
tRPC 11 WebSocket DoS Vulnerability
8.7
CVSS Score
4.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.36122%
CWE
Published
4/24/2025
Updated
4/24/2025
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
@trpc/server | npm | >= 11.0.0, < 11.1.1 | 11.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a Denial of Service in tRPC's WebSocket server, caused by an unhandled error when processing invalid connectionParams
.
- The client sends specially crafted, invalid
connectionParams
over a WebSocket connection. - The
parseConnectionParams
function, located inpackages/server/src/unstable-core-do-not-import/http/parseConnectionParams.ts
, attempts to validate these parameters. Due to their invalid nature, this function throws an error. This function is critical as it processes the malicious input. - This error occurs during the WebSocket connection setup, within the execution of
createCtxPromise
(itself called withingetWSConnectionHandler
inpackages/server/src/adapters/ws.ts
). - The error from
createCtxPromise
(originating fromparseConnectionParams
) is caught withingetWSConnectionHandler
. Anopts.onError
handler is invoked, and the WebSocket client connection is typically closed. - The vulnerability lay in the fact that, prior to the patch,
getWSConnectionHandler
would then re-throw this error (throw error;
). - This re-thrown error was not caught by any higher-level error handler in the asynchronous context of the WebSocket message event, resulting in an uncaught exception that crashed the entire server process.
- The provided patch addresses the vulnerability by removing the
throw error;
line fromgetWSConnectionHandler
inpackages/server/src/adapters/ws.ts
. This ensures that the error, having already been handled byopts.onError
, is not propagated further as an unhandled exception.
Therefore, getWSConnectionHandler
is identified as a vulnerable function because it contained the flawed re-throwing logic. parseConnectionParams
is identified because it processes the malicious input that triggers the error, which then leads to the exploit due to the flaw in getWSConnectionHandler
.