Primary

Context

tRPC WebSocket Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in tRPC versions 11.0.0 prior to 11.1.1. The issue arises when the server encounters invalid connection parameters, leading to an unhandled error that crashes the WebSocket server. This vulnerability allows any unauthenticated user to disrupt a tRPC WebSocket server. The problem occurs on any tRPC 11 server with WebSocket enabled and a context creation method defined.

Impact

Exploitation of this vulnerability causes the tRPC WebSocket server to crash, terminating the server process.

Reproduction

The vulnerability can be reproduced by sending an invalid connection parameter object to a tRPC WebSocket server that is running version 11.0.0 prior to 11.1.1, with WebSocket support enabled and a context creation method specified. This can be done using a WebSocket client that connects to the server and transmits the malformed connection parameters.

Remediation

Users can upgrade to tRPC version 11.1.1 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

tRPC WebSocket Denial-of-Service Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating