gRPC-Go Authorization Bypass Vulnerability in Path Handling

A critical authorization bypass vulnerability has been identified in gRPC-Go versions prior to 1.79.3. The issue arises from improper input validation of the HTTP/2 ':path' pseudo-header, allowing requests to be routed without the mandatory leading slash. This leniency enables bypassing authorization rules that rely on canonical paths, particularly in gRPC-Go servers using path-based authorization interceptors. The vulnerability can be exploited by sending raw HTTP/2 frames with malformed ':path' headers directly to the gRPC server.

Impact

Exploitation of this vulnerability allows for authorization bypass, enabling unauthorized access to gRPC methods that are supposed to be restricted.

Remediation

Users are advised to upgrade to gRPC-Go version 1.79.3 or the latest master branch. For those unable to upgrade immediately, it is recommended to implement a validating interceptor that checks the ':path' header before any authorization logic, normalize ':path' headers at the infrastructure level if using a reverse proxy or load balancer, and harden authorization policies to deny all paths by default except those explicitly allowed.