CVE-2025-43855 Overview
CVE-2025-43855 is a denial of service vulnerability in tRPC, a TypeScript library for building typesafe APIs without schemas or code generation. The flaw affects tRPC versions starting from 11.0.0 and prior to 11.1.1. An unhandled exception is thrown when the WebSocket adapter validates malformed connectionParams, which terminates the tRPC WebSocket server process. Any unauthenticated remote attacker can trigger the crash by sending a crafted WebSocket connection. The issue affects any tRPC 11 server that enables WebSockets together with a createContext method. The maintainers shipped a fix in version 11.1.1.
Critical Impact
Unauthenticated attackers can crash tRPC 11 WebSocket servers remotely with a single malformed connection request, disrupting application availability.
Affected Products
- tRPC versions 11.0.0 through 11.1.0 (WebSocket adapter)
- tRPC servers with WebSockets enabled and a configured createContext method
- Fastify and standalone WebSocket adapters built on the affected tRPC server package
Discovery Timeline
- 2025-04-24 - CVE-2025-43855 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-43855
Vulnerability Analysis
The vulnerability is an Uncaught Exception flaw ([CWE-248]) in the tRPC WebSocket adapter. When a client opens a WebSocket connection, the server parses the connectionParams payload before establishing the tRPC context. The parsing and validation logic throws synchronously when the payload is malformed. Because the surrounding handler awaited the connection routine without guarding the rejection, the error propagated to the underlying HTTP/WebSocket framework and crashed the Node.js process. Restarting the process restores service, but the attack is trivially repeatable. The EPSS score is 0.293% at the 52nd percentile, reflecting low but non-trivial exploitation likelihood for a network-reachable DoS primitive.
Root Cause
The root cause is missing error handling around the asynchronous onConnection routine in the Fastify WebSocket plugin. Invalid connectionParams produced a rejected promise that was not caught, allowing the exception to escape the request handler. The fix removes the await and lets onConnection manage its own error boundary internally so a malformed payload no longer reaches the framework's top-level error handler.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a WebSocket upgrade request to the tRPC endpoint and supplies a malformed connectionParams value. The server attempts to validate the payload, throws, and the Node.js process terminates. The impact is limited to availability, with no confidentiality or integrity loss.
...trpcOptions,
});
- fastify.get(prefix ?? '/', { websocket: true }, async (socket, req) => {
- await onConnection(socket, req.raw);
+ fastify.get(prefix ?? '/', { websocket: true }, (socket, req) => {
+ onConnection(socket, req.raw);
if (trpcOptions?.keepAlive?.enabled) {
const { pingMs, pongWaitMs } = trpcOptions.keepAlive;
handleKeepAlive(socket, pingMs, pongWaitMs);
Source: tRPC patch commit 9beb26c
Detection Methods for CVE-2025-43855
Indicators of Compromise
- Repeated Node.js process crashes or container restarts correlated with inbound WebSocket upgrade requests to tRPC endpoints.
- Unhandled promise rejection or uncaught exception entries in application logs originating from the tRPC WebSocket adapter.
- WebSocket connection attempts containing malformed or unexpected connectionParams JSON payloads.
Detection Strategies
- Inventory running Node.js services and identify any using @trpc/server between 11.0.0 and 11.1.0 with WebSockets enabled.
- Alert on abnormal restart loops, exit code spikes, or process supervisor relaunches for services exposing tRPC WebSocket routes.
- Inspect reverse proxy and WAF logs for WebSocket Upgrade requests targeting tRPC paths immediately preceding service outages.
Monitoring Recommendations
- Track WebSocket connection failure rates and process uptime metrics for tRPC services using Prometheus, Datadog, or equivalent.
- Forward Node.js stderr and uncaughtException events to a centralized log pipeline for analytics and correlation.
- Implement rate limiting and anomaly detection on WebSocket handshake endpoints to flag repeated malformed handshakes from a single source.
How to Mitigate CVE-2025-43855
Immediate Actions Required
- Upgrade @trpc/server and related tRPC packages to version 11.1.1 or later across all environments.
- If patching is delayed, temporarily disable WebSocket transport and fall back to HTTP for tRPC procedures.
- Audit createContext configurations and ensure no untrusted services accept WebSocket connections without front-line filtering.
Patch Information
The vulnerability is fixed in tRPC 11.1.1. The patch is implemented in commit 9beb26c636d44852e0f407f3d7a82ad54df65b4d and details are published in GitHub Security Advisory GHSA-pj3v-9cm8-gvj8. Update by running npm install @trpc/server@^11.1.1 (or the equivalent for yarn or pnpm) and redeploy all server processes.
Workarounds
- Place tRPC WebSocket endpoints behind a reverse proxy or API gateway that validates connectionParams schema before forwarding upgrade requests.
- Configure a process supervisor such as pm2 or Kubernetes liveness probes to auto-restart crashed Node.js workers while patching is in progress.
- Apply IP-based rate limiting on WebSocket handshakes to reduce the rate at which an attacker can repeatedly crash a process.
# Upgrade tRPC server packages to the patched release
npm install @trpc/server@^11.1.1 @trpc/client@^11.1.1
# Verify installed version
npm ls @trpc/server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
