Miggo Logo

CVE-2025-43855:
tRPC 11 WebSocket DoS Vulnerability

8.7

CVSS Score
4.0

Basic Information

EPSS Score
0.36122%
Published
4/24/2025
Updated
4/24/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
@trpc/servernpm>= 11.0.0, < 11.1.111.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a Denial of Service in tRPC's WebSocket server, caused by an unhandled error when processing invalid connectionParams.

  1. The client sends specially crafted, invalid connectionParams over a WebSocket connection.
  2. The parseConnectionParams function, located in packages/server/src/unstable-core-do-not-import/http/parseConnectionParams.ts, attempts to validate these parameters. Due to their invalid nature, this function throws an error. This function is critical as it processes the malicious input.
  3. This error occurs during the WebSocket connection setup, within the execution of createCtxPromise (itself called within getWSConnectionHandler in packages/server/src/adapters/ws.ts).
  4. The error from createCtxPromise (originating from parseConnectionParams) is caught within getWSConnectionHandler. An opts.onError handler is invoked, and the WebSocket client connection is typically closed.
  5. The vulnerability lay in the fact that, prior to the patch, getWSConnectionHandler would then re-throw this error (throw error;).
  6. This re-thrown error was not caught by any higher-level error handler in the asynchronous context of the WebSocket message event, resulting in an uncaught exception that crashed the entire server process.
  7. The provided patch addresses the vulnerability by removing the throw error; line from getWSConnectionHandler in packages/server/src/adapters/ws.ts. This ensures that the error, having already been handled by opts.onError, is not propagated further as an unhandled exception.

Therefore, getWSConnectionHandler is identified as a vulnerable function because it contained the flawed re-throwing logic. parseConnectionParams is identified because it processes the malicious input that triggers the error, which then leads to the exploit due to the flaw in getWSConnectionHandler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n un**n*l** *rror is t*rown w**n v*li**tin* inv*li* *onn**tionP*r*ms w*i** *r*s**s * tRP* W**So*k*t s*rv*r. T*is *llows *ny un*ut**nti**t** us*r to *r*s* * tRP* ** W**So*k*t s*rv*r. ### **t*ils *ny tRP* ** s*rv*r wit* W**So*k*t *n**l**

Reasoning

T** vuln*r**ility is * **ni*l o* S*rvi** in tRP*'s W**So*k*t s*rv*r, **us** *y *n un**n*l** *rror w**n pro**ssin* inv*li* `*onn**tionP*r*ms`. *. T** *li*nt s*n*s sp**i*lly *r**t**, inv*li* `*onn**tionP*r*ms` ov*r * W**So*k*t *onn**tion. *. T** `p*rs*