Описание
tRPC 11 WebSocket DoS Vulnerability
Summary
An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.
Details
Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. Here is an example:
https://github.com/user-attachments/assets/ce1b2d32-6103-4e54-8446-51535b293b05
I have a working reproduction here if you would like to test: https://github.com/lukechilds/trpc-vuln-reproduction
The connectionParams logic introduced in https://github.com/trpc/trpc/pull/5839 does not safely handle invalid connectionParams objects. During validation if the object does not match an expected shape an error will be thrown:
This is called during WebSocket connection setup inside createCtxPromise() here:
createCtxPromise has handling to catch any errors and pass them up to the opts.onError handler:
However the error handler then rethrows the error:
Since this is all triggered from the WebSocket message event there is no higher level error handling so this causes an uncaught exception and crashes the server process.
This means any tRPC 11 server with WebSockets enabled can be crashed by an attacker sending an invalid connectionParams object. It doesn't matter if the server doesn't make user of connectionParams, the connectionParams logic can be initiated by the client.
To fix this vulnerability tRPC should not rethrow the error after it's be handled. This patch fixes the vulnerability:
PoC
This script will crash the target tRPC 11 server if WebSockets are enabled:
Complete PoC with vulnerable WebSocket server here: https://github.com/lukechilds/trpc-vuln-reproduction
Ссылки
- https://github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8
- https://nvd.nist.gov/vuln/detail/CVE-2025-43855
- https://github.com/trpc/trpc/pull/5839
- https://github.com/trpc/trpc/commit/9beb26c636d44852e0f407f3d7a82ad54df65b4d
- https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L171
Пакеты
@trpc/server
>= 11.0.0, < 11.1.1
11.1.1
Связанные уязвимости
tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.