Description
An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.
Recommendation
Update the @trpc/server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 11.0.0, < 11.1.1
- Patched version(s): 11.1.1
References
Related Issues
- tRPC has possible prototype pollution in `experimental_nextAppDirCaller` - CVE-2025-68130
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
- @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - CVE-2025-25285
- @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289
- Tags:
- npm
- @trpc/server
Anything's wrong? Let us know Last updated on April 24, 2025