GHSA-8G29-8XWR-QMHR

Vulnerability from github – Published: 2026-03-25 17:33 – Updated: 2026-03-25 17:33
VLAI
Summary
@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling
Details

Impact

JSON.parse(env.adapterConfig) is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler.

Additionally, the parsed result is cast as Record<string, unknown> and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised.

Affected code: - packages/server/src/grpc-service.ts:415reconnectOrProvision handler - packages/server/src/grpc-service.ts:482stopEnvironment handler - packages/server/src/grpc-service.ts:498destroyEnvironment handler

Patches

Fix: Wrap in try-catch and return a meaningful gRPC error:

let config: Record<string, unknown>;
try {
  config = JSON.parse(env.adapterConfig) as Record<string, unknown>;
} catch {
  throw new ConnectError("Invalid adapter configuration", Code.Internal);
}

Workarounds

Ensure database integrity. Back up the SQLite database regularly.

Resources

  • CWE-754: Improper Check for Unusual or Exceptional Conditions
  • File: packages/server/src/grpc-service.ts
Severity
2.1 (Low)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.70.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@grackle-ai/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.70.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T17:33:01Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\n`JSON.parse(env.adapterConfig)` is called without error handling in three locations within the gRPC service. While the data originates from the server\u0027s own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler.\n\nAdditionally, the parsed result is cast as `Record\u003cstring, unknown\u003e` and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised.\n\n**Affected code:**\n- `packages/server/src/grpc-service.ts:415` \u2014 `reconnectOrProvision` handler\n- `packages/server/src/grpc-service.ts:482` \u2014 `stopEnvironment` handler\n- `packages/server/src/grpc-service.ts:498` \u2014 `destroyEnvironment` handler\n\n### Patches\n\n**Fix:** Wrap in try-catch and return a meaningful gRPC error:\n```typescript\nlet config: Record\u003cstring, unknown\u003e;\ntry {\n  config = JSON.parse(env.adapterConfig) as Record\u003cstring, unknown\u003e;\n} catch {\n  throw new ConnectError(\"Invalid adapter configuration\", Code.Internal);\n}\n```\n\n### Workarounds\n\nEnsure database integrity. Back up the SQLite database regularly.\n\n### Resources\n\n- CWE-754: Improper Check for Unusual or Exceptional Conditions\n- File: `packages/server/src/grpc-service.ts`",
  "id": "GHSA-8g29-8xwr-qmhr",
  "modified": "2026-03-25T17:33:01Z",
  "published": "2026-03-25T17:33:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-8g29-8xwr-qmhr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nick-pape/grackle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.