In gRPC Swift versions 1.0.0, 1.1.0 and 1.1.1 there are three vulnerabilities which could lead to a denial of service. These were discovered by fuzz testing.
No workarounds are available and users must upgrade to 1.2.0.
Details of each vulnerability are available in the security advisories on GitHub:
- Uncontrolled Resource Consumption in LengthPrefixedMessageReader (CVE-2021-36155)
- Incomplete Internal State Distinction in GRPCWebToHTTP2ServerCodec (CVE-2021-36153)
- Uncontrolled Recursion in HTTP2ToRawGRPCServerCodec (CVE-2021-36154)