Skip to content

fix(deps): upgrade gRPC to v1.79.3 to fix authorization bypass vulnerability#715

Merged
michaeljguarino merged 1 commit intomainfrom
agent/upgrade-grpc-1.79.3-security-fix-1710900120000
Mar 20, 2026
Merged

fix(deps): upgrade gRPC to v1.79.3 to fix authorization bypass vulnerability#715
michaeljguarino merged 1 commit intomainfrom
agent/upgrade-grpc-1.79.3-security-fix-1710900120000

Conversation

@plural-copilot
Copy link
Copy Markdown
Contributor

@plural-copilot plural-copilot bot commented Mar 20, 2026

Summary

This PR upgrades google.golang.org/grpc from v1.79.1 to v1.79.3 to fix a security vulnerability.

Vulnerability Details

Type: Authorization Bypass via Improper Input Validation

The gRPC-Go server was accepting requests where the :path HTTP/2 pseudo-header omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server correctly routed these requests, authorization interceptors evaluated the raw, non-canonical path string. This allowed "deny" rules defined using canonical paths to be bypassed.

Impact

This affects gRPC-Go servers that:

  1. Use path-based authorization interceptors
  2. Have security policies with specific "deny" rules for canonical paths but allow other requests by default

Fix

The patch ensures any request with a :path not starting with a leading slash is immediately rejected with a codes.Unimplemented error.

Changes

  • go.mod: Updated google.golang.org/grpc from v1.79.1 to v1.79.3
  • go.sum: Updated checksums for the new version

Test Plan

  • Verified checksums from official Go module proxy
  • CI/CD pipeline will validate build and tests

@michaeljguarino
fix(deps): upgrade google.golang.org/grpc from v1.79.1 to v1.79.3
c43c57f 
Fixes security vulnerability: gRPC-Go authorization bypass via missing
leading slash in :path pseudo-header. This is an authorization bypass
resulting from improper input validation that allows attackers to
bypass path-based authorization policies.

CVE fix recommended upgrade from v1.79.1 to v1.79.3.
plural-copilot[bot]
plural-copilot bot commented Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@plural-copilot plural-copilot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the claude (engine: claude) agent runtime. Here's some useful information you might want to know to evaluate
the ai's perfomance:

Name Details
💬 Prompt Security scanners have found the following vulnerability in our cluster:...
🔗 Run history View run history

@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 20, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgoogle.golang.org/​grpc@​v1.79.1 ⏵ v1.79.375 +1100 +75100100100

View full report

@michaeljguarino michaeljguarino added the enhancement New feature or request label Mar 20, 2026
@michaeljguarino michaeljguarino merged commit 187c1c5 into main Mar 20, 2026
14 of 15 checks passed
@michaeljguarino michaeljguarino deleted the agent/upgrade-grpc-1.79.3-security-fix-1710900120000 branch March 20, 2026 02:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino