CVE-2025-43855 HIGH

CVE-2025-43855: tRPC 11 WebSocket DoS Vulnerability

Vendor Trpc
Product trpc
Weakness CWE-248
Published April 24, 2025
Last update May 14, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.

Key dates

02Disclosure timeline

April 24, 2025 CVE published
May 14, 2025 Record updated

Related vulnerabilities

04Related CVE