CVE-2025-43855

Source
https://cve.org/CVERecord?id=CVE-2025-43855
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43855.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-43855
Aliases
Published
2025-04-24T13:58:30.536Z
Modified
2026-04-02T12:49:46.910676Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
tRPC 11 WebSocket DoS Vulnerability
Details

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.

Database specific
{
    "cwe_ids": [
        "CWE-248"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43855.json"
}
References

Affected packages

Git / github.com/trpc/trpc

Affected ranges

Type
GIT
Repo
https://github.com/trpc/trpc
Events

Affected versions

v11.*
v11.0.0
v11.0.1
v11.0.2
v11.0.3
v11.0.4
v11.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-43855.json"