CVE-2026-45799
square · wire
The Wire library for gRPC and protocol buffers contains an improper validation of array index vulnerability, which may lead to denial of service conditions.
Executive summary
An improper validation of array index vulnerability in the Square Wire library poses a risk of application denial of service.
Vulnerability
The vulnerability is an improper validation of an array index (CWE-129) that can be triggered by unauthenticated remote attackers. The issue resides within the protocol buffer processing logic, which can lead to application crashes when processing malicious inputs.
Business impact
The primary impact of this vulnerability is a denial of service, where an attacker can crash applications relying on the vulnerable library. With a CVSS score of 7.5, this high-severity flaw could disrupt critical business services that depend on gRPC or protocol buffer communications for inter-service data exchange.
Remediation
Immediate Action: Update the Wire library to version 6.3.0 or 7.0.0-alpha03, depending on the current deployment branch, to incorporate the necessary validation fixes.
Proactive Monitoring: Review application logs for recurring crashes or exceptions related to protocol buffer deserialization, which may signal an ongoing attempt to exploit this index validation flaw.
Compensating Controls: Deploy a Web Application Firewall or similar inspection tool capable of validating incoming protocol buffer traffic to drop malformed packets before they reach the vulnerable code path.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Development teams using the Square Wire library should prioritize updating their dependencies to the latest patched versions. Given the ease of exploitation, failure to patch may leave exposed services vulnerable to simple denial of service attacks.