CVE-2024-7246 Overview
CVE-2024-7246 is an HPACK table poisoning vulnerability in gRPC that allows a malicious client communicating with an HTTP/2 proxy to corrupt the HPACK header compression table shared between the proxy and backend servers. This corruption causes other legitimate clients to experience failed requests and can potentially leak HTTP header keys from other clients' requests.
Critical Impact
Attackers can disrupt service availability for other clients and potentially expose sensitive HTTP header keys through HPACK table poisoning.
Affected Products
- gRPC versions prior to 1.58.3
- gRPC versions 1.59.x prior to 1.59.5
- gRPC versions 1.60.x prior to 1.60.2
- gRPC versions 1.61.x prior to 1.61.3
- gRPC versions 1.62.x prior to 1.62.3
- gRPC versions 1.63.x prior to 1.63.2
- gRPC versions 1.64.x prior to 1.64.3
- gRPC versions 1.65.x prior to 1.65.4
Discovery Timeline
- 2024-08-06 - CVE-2024-7246 published to NVD
- 2025-07-22 - Last updated in NVD database
Technical Details for CVE-2024-7246
Vulnerability Analysis
This vulnerability exists in gRPC's HTTP/2 HPACK header compression implementation. HPACK is a compression format used in HTTP/2 to efficiently encode HTTP headers, utilizing both static and dynamic tables to reduce bandwidth consumption. When a gRPC client sends a maliciously crafted request with a misencoded header through an HTTP/2 proxy, the error status from decoding the malformed header is not properly cleared between subsequent header reads.
The flaw allows an attacker to poison the HPACK dynamic table that is shared between the proxy and backend server. When subsequent headers are incrementally indexed and added to the table, they inherit the corrupted state from the initial misencoded header. This poisoned state persists until the affected entries are eventually evicted from the HPACK table.
Root Cause
The root cause is a state management error in gRPC's HPACK decoder (CWE-440: Expected Behavior Violation). When processing headers, the decoder encounters a misencoded header but fails to properly clear the error status flag before processing subsequent headers in the same request. This results in the error state propagating to incrementally indexed headers that are added to the dynamic HPACK table, corrupting entries that should be valid.
Attack Vector
The attack is network-based and requires the attacker to be a gRPC client communicating through an HTTP/2 proxy to a gRPC backend. The attacker crafts HTTP/2 frames containing deliberately misencoded HPACK headers. When these malformed headers are processed by the proxy-backend connection's HPACK decoder, the corruption spreads to the shared dynamic table.
The attack flow involves:
- Attacker establishes a connection through an HTTP/2 proxy to a gRPC backend
- Attacker sends requests with deliberately misencoded HPACK headers
- The error status from the misencoded header persists across header processing
- Subsequent valid headers become poisoned in the HPACK dynamic table
- Other legitimate clients using the same proxy-backend connection experience request failures
- HTTP header keys (but not values) from other clients may be leaked to the attacker
Since HPACK tables are connection-scoped and proxies typically multiplex multiple client connections over a single backend connection, a single attacker can affect all clients sharing that proxy-backend path.
Detection Methods for CVE-2024-7246
Indicators of Compromise
- Sudden increase in HTTP/2 connection errors or HPACK decompression failures
- Unexplained request failures from legitimate gRPC clients behind HTTP/2 proxies
- Error logs indicating HPACK header decoding issues or table corruption
- Unusual patterns of malformed HTTP/2 HEADERS frames in network traffic
Detection Strategies
- Monitor gRPC server and proxy logs for HPACK-related error messages
- Implement anomaly detection for HTTP/2 frame parsing errors
- Deploy network intrusion detection rules to identify malformed HPACK headers
- Track correlation between specific client connections and widespread request failures
Monitoring Recommendations
- Enable detailed HTTP/2 frame logging on proxies and gRPC servers
- Set up alerts for elevated rates of HTTP/2 GOAWAY or RST_STREAM frames
- Monitor for patterns indicating HPACK table desynchronization
- Implement client connection tracking to identify potential attack sources
How to Mitigate CVE-2024-7246
Immediate Actions Required
- Upgrade gRPC to a patched version immediately: 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, or 1.65.4
- Audit all systems using gRPC behind HTTP/2 proxies for vulnerable versions
- Consider temporarily isolating high-risk gRPC services until patches are applied
- Review proxy configurations to limit impact of potential HPACK table corruption
Patch Information
The gRPC team has released patches across multiple version branches. Users should upgrade to the following fixed versions based on their current deployment:
| Current Version | Fixed Version |
|---|---|
| 1.58.x | 1.58.3 |
| 1.59.x | 1.59.5 |
| 1.60.x | 1.60.2 |
| 1.61.x | 1.61.3 |
| 1.62.x | 1.62.3 |
| 1.63.x | 1.63.2 |
| 1.64.x | 1.64.3 |
| 1.65.x | 1.65.4 |
For detailed patch information and upgrade instructions, refer to the gRPC GitHub Issue #36245.
Workarounds
- Where possible, use direct gRPC connections without HTTP/2 proxies to eliminate the shared HPACK table attack surface
- Implement connection-level isolation at HTTP/2 proxies to prevent cross-client contamination
- Deploy application-layer firewalls or WAFs with HTTP/2 deep inspection capabilities to detect malformed headers
- Consider rate limiting or connection throttling for untrusted gRPC clients
# Example: Upgrade gRPC using pip (Python)
pip install --upgrade grpcio>=1.65.4
# Example: Upgrade gRPC using npm (Node.js)
npm update @grpc/grpc-js
# Verify installed gRPC version
pip show grpcio | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
