CVE-2023-32732: gRPC HTTP2 Proxy DOS Vulnerability

CVE-2023-32732 Overview

CVE-2023-32732 is a denial of service vulnerability in gRPC that allows a malicious client to terminate connections between HTTP2 proxies and gRPC servers. The vulnerability stems from inconsistent handling of base64 encoding errors in headers with the -bin suffix between HTTP2 proxies and gRPC servers. When a client sends malformed base64-encoded data in -bin suffixed headers, HTTP2 proxies typically allow the request to pass through, but the gRPC server rejects it and terminates the connection.

Critical Impact

Attackers can exploit this vulnerability to cause denial of service by repeatedly terminating connections between HTTP2 proxies and gRPC servers, disrupting service availability for legitimate clients sharing the same connection pool.

Affected Products

• gRPC (all versions prior to the fix in pull request #32309)
• Fedora 37
• Fedora 38

Discovery Timeline

• June 9, 2023 - CVE-2023-32732 published to NVD
• February 13, 2025 - Last updated in NVD database

Technical Details for CVE-2023-32732

Vulnerability Analysis

This vulnerability exploits a behavioral inconsistency in how HTTP2 proxies and gRPC servers handle binary headers. In gRPC, headers with the -bin suffix are expected to contain base64-encoded binary data. The gRPC protocol specification requires strict validation of this encoding, while HTTP2 proxies generally pass headers through without validating their content.

The attack targets the connection-sharing architecture commonly used in production environments where multiple clients share connections through HTTP2 proxies. When a gRPC server detects invalid base64 encoding in a -bin header, it terminates the entire HTTP2 connection rather than just rejecting the individual request. This design decision, while appropriate for protocol compliance, creates an amplification effect where a single malicious request can disrupt service for all clients sharing that connection.

Root Cause

The root cause lies in CWE-440: Expected Behavior Violation. The vulnerability exists because of differing expectations between HTTP2 proxies and gRPC servers regarding header validation. HTTP2 proxies operate under a more permissive model, treating headers as opaque data to be forwarded, while gRPC servers enforce strict protocol compliance and terminate connections upon detecting malformed binary headers.

Attack Vector

The attack can be executed remotely over the network without authentication. An attacker crafts HTTP2 requests containing -bin suffixed headers with intentionally malformed base64 encoding. These requests pass through HTTP2 proxies unchanged but trigger connection termination when they reach the gRPC server. By repeatedly sending such requests, an attacker can continuously disrupt the connection pool between proxies and servers.

The attack flow involves the following sequence: a malicious client sends a request with an invalid base64 value in a binary header (such as x-custom-bin), the HTTP2 proxy forwards this request to the backend gRPC server, the gRPC server validates the header and detects the encoding error, and the server terminates the HTTP2 connection affecting all clients using that connection.

Detection Methods for CVE-2023-32732

Indicators of Compromise

• Unusual patterns of HTTP2 connection resets or terminations between proxies and gRPC servers
• Increased frequency of gRPC error codes related to header parsing failures
• Requests containing -bin suffixed headers with non-base64 characters or improper padding
• Sudden spikes in connection establishment rates indicating connection pool churn

Detection Strategies

• Monitor gRPC server logs for base64 decoding errors in binary headers
• Implement connection termination rate monitoring between HTTP2 proxies and gRPC backends
• Deploy network traffic analysis to identify requests with malformed -bin header values
• Set up alerting for unusual patterns of HTTP2 GOAWAY frames from gRPC servers

Monitoring Recommendations

• Track connection pool health metrics including connection lifetime and termination reasons
• Monitor service availability metrics for applications behind HTTP2 proxies
• Implement distributed tracing to correlate client requests with connection terminations
• Review proxy access logs for repeated requests from the same source with binary headers

How to Mitigate CVE-2023-32732

Immediate Actions Required

• Upgrade gRPC to a version that includes the fix from pull request #32309
• Review and update Fedora systems to patched versions as announced in Fedora security advisories
• Implement rate limiting on incoming connections to reduce the impact of connection termination attacks
• Consider implementing header validation at the proxy layer for -bin suffixed headers

Patch Information

The gRPC team has addressed this vulnerability in the changes merged via GitHub Pull Request #32309. Organizations should upgrade to gRPC versions that include this fix. Fedora users should apply the latest package updates as documented in the official Fedora package announcements.

Workarounds

• Deploy input validation at the HTTP2 proxy layer to reject requests with malformed base64 in -bin headers before they reach gRPC servers
• Implement connection isolation to limit the blast radius of connection terminations
• Configure aggressive connection timeouts and automatic reconnection logic in client applications
• Use dedicated connection pools for sensitive or high-priority services to isolate them from potential attacks

Organizations using containerized or microservices architectures should ensure all gRPC dependencies are updated across their service mesh. Consider using service mesh features like circuit breakers to limit the propagation of connection failures.