It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.
This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.
Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.
                
            Metrics
Affected Vendors & Products
References
        History
                    Tue, 22 Jul 2025 19:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Grpc Grpc grpc | |
| Weaknesses | NVD-CWE-noinfo | |
| CPEs | cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:* | |
| Vendors & Products | Grpc Grpc grpc | |
| Metrics | cvssV3_1 
 | cvssV3_1 
 | 
Thu, 13 Feb 2025 00:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Redhat rhui | |
| CPEs | cpe:/a:redhat:rhui:4::el8 | |
| Vendors & Products | Redhat rhui | 
Wed, 06 Nov 2024 15:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Redhat satellite Redhat satellite Capsule | |
| CPEs | cpe:/a:redhat:satellite:6.16::el8 cpe:/a:redhat:satellite:6.16::el9 cpe:/a:redhat:satellite_capsule:6.16::el8 cpe:/a:redhat:satellite_capsule:6.16::el9 | |
| Vendors & Products | Redhat satellite Redhat satellite Capsule | 
Sun, 08 Sep 2024 19:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Redhat Redhat ansible Automation Platform | |
| CPEs | cpe:/a:redhat:ansible_automation_platform:2.4::el8 cpe:/a:redhat:ansible_automation_platform:2.4::el9 | |
| Vendors & Products | Redhat Redhat ansible Automation Platform | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: Google
Published: 2024-08-06T10:14:28.492Z
Updated: 2024-08-06T13:17:59.082Z
Reserved: 2024-07-29T20:41:21.403Z
Link: CVE-2024-7246
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-08-06T13:17:53.540Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2024-08-06T11:16:07.587
Modified: 2025-07-22T19:29:58.023
Link: CVE-2024-7246
 Redhat
                        Redhat