CVE-2025-43855 Overview
tRPC is a TypeScript framework that lets developers build and consume fully typesafe APIs without schemas or code generation. CVE-2025-43855 affects tRPC versions starting from 11.0.0 to before 11.1.1. An unhandled error thrown during validation of invalid connectionParams crashes the tRPC WebSocket server. Any unauthenticated attacker can send malformed connection parameters and terminate the server process. Every tRPC 11 server with WebSocket enabled and a createContext method configured is affected. The maintainers patched the issue in version 11.1.1. The vulnerability is tracked under [CWE-248] (Uncaught Exception).
Critical Impact
Unauthenticated remote attackers can crash tRPC WebSocket servers by sending invalid connection parameters, causing application-wide denial of service.
Affected Products
- tRPC versions 11.0.0 through 11.1.0
- tRPC 11 servers with WebSocket support enabled
- tRPC 11 deployments configured with a createContext method
Discovery Timeline
- 2025-04-24 - CVE-2025-43855 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-43855
Vulnerability Analysis
The flaw is a denial of service condition caused by an uncaught exception in the tRPC WebSocket adapter. When a client establishes a WebSocket connection, tRPC validates the connectionParams payload before invoking the user-supplied createContext method. Invalid connectionParams cause the validation logic to throw an error that propagates up the asynchronous handler chain without being caught. Because the handler runs inside the WebSocket connection lifecycle of the host framework (such as Fastify), the unhandled rejection terminates the Node.js process. A single malformed WebSocket handshake is therefore sufficient to take the entire API offline.
Root Cause
The root cause is missing exception handling around the onConnection flow in the WebSocket adapter. The original Fastify plugin registered an async handler that awaited onConnection, allowing rejected promises from connectionParams validation to escape into the framework's error path and crash the worker. No try/catch boundary isolated the malformed input from the process loop, satisfying the conditions described by [CWE-248].
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker connects to the tRPC WebSocket endpoint and sends a handshake message containing structurally invalid connectionParams. The validation layer throws, the rejection is not caught, and the server process exits. Because the vector is network-reachable and stateless, the attack is trivially repeatable and can be scripted against any exposed tRPC 11 WebSocket endpoint.
// Patch from packages/server/src/adapters/fastify/fastifyTRPCPlugin.ts
...trpcOptions,
});
- fastify.get(prefix ?? '/', { websocket: true }, async (socket, req) => {
- await onConnection(socket, req.raw);
+ fastify.get(prefix ?? '/', { websocket: true }, (socket, req) => {
+ onConnection(socket, req.raw);
if (trpcOptions?.keepAlive?.enabled) {
const { pingMs, pongWaitMs } = trpcOptions.keepAlive;
handleKeepAlive(socket, pingMs, pongWaitMs);
Source: GitHub Commit 9beb26c. The fix removes the async/await wrapper so that promise rejections from onConnection no longer bubble out of the Fastify route handler as uncaught exceptions.
Detection Methods for CVE-2025-43855
Indicators of Compromise
- Abrupt process exits or container restarts on Node.js services exposing tRPC WebSocket endpoints.
- Unhandled promise rejection log entries referencing connectionParams validation or the tRPC WebSocket adapter.
- Repeated short-lived WebSocket connections from a single source immediately preceding a crash.
Detection Strategies
- Inventory all running services and identify any using @trpc/server at versions 11.0.0 through 11.1.0 with WebSocket support enabled.
- Correlate Node.js process restart events with inbound WebSocket handshake traffic to flag denial of service attempts.
- Inspect application logs for stack traces originating in the tRPC WebSocket connection handler that terminate the worker process.
Monitoring Recommendations
- Configure uptime and process-restart alerts for any service exposing tRPC WebSocket endpoints to the internet.
- Forward Node.js stderr and unhandledRejection events into a centralized log pipeline for retrospective analysis.
- Monitor WebSocket handshake error rates per source IP to detect crash-loop probing.
How to Mitigate CVE-2025-43855
Immediate Actions Required
- Upgrade @trpc/server and related tRPC packages to version 11.1.1 or later across all services.
- Audit dependency manifests (package.json, lockfiles) to confirm no transitive dependency pins a vulnerable tRPC 11 release.
- Restart all Node.js workers after upgrading to ensure the patched adapter is loaded.
Patch Information
The issue is fixed in tRPC 11.1.1. The remediation commit 9beb26c updates the Fastify WebSocket plugin so that rejected promises from onConnection no longer escape to the framework's error path. Full details are available in the tRPC GitHub Security Advisory GHSA-pj3v-9cm8-gvj8.
Workarounds
- Restrict network exposure of the tRPC WebSocket endpoint to authenticated internal clients using a reverse proxy or service mesh policy until upgrading.
- Disable WebSocket support in tRPC and fall back to HTTP transports if upgrade cannot be performed immediately.
- Place the WebSocket endpoint behind a rate-limiting gateway to slow repeated malformed handshake attempts.
# Upgrade tRPC server packages to the patched release
npm install @trpc/server@^11.1.1 @trpc/client@^11.1.1
# Verify installed version
npm ls @trpc/server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

