CVE-2025-43855
CVE-2025-43855 is a high-severity vulnerability with a CVSS 4.0 base score of 8.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-248.
Key facts
- Severity: High (CVSS 4.0 base score 8.7)
- EPSS exploit prediction: 0% (27th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-12106
- Weakness: CWE-248
- Published:
- Last modified:
Description
tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.
Frequently asked questions
- What is CVE-2025-43855?
- tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.
- How severe is CVE-2025-43855?
- CVE-2025-43855 has a CVSS 4.0 base score of 8.7, rated high severity.
- Is CVE-2025-43855 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (27th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-43855?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-43855 have an EU (EUVD) identifier?
- Yes. CVE-2025-43855 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-12106.
- When was CVE-2025-43855 published?
- CVE-2025-43855 was published on 2025-04-24 and last updated on 2026-06-17.
References
- https://github.com/trpc/trpc/commit/9beb26c636d44852e0f407f3d7a82ad54df65b4d
- https://github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8
Other CWE-248 vulnerabilities
- CVE-2018-11466 — Critical (CVSS 9.8): A vulnerability has been identified in SINUMERIK 808D V4.7 (All versions), SINUMERIK 808D V4.8 (All versions),…
- CVE-2024-42037 — Critical (CVSS 9.3): Vulnerability of uncaught exceptions in the Graphics module Impact: Successful exploitation of this vulnerability may…
- CVE-2025-53620 — Critical (CVSS 9.2): @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the…
- CVE-2026-46689 — High (CVSS 8.7): Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/...…
- CVE-2026-9509 — High (CVSS 8.7): An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an…
- CVE-2025-9124 — High (CVSS 8.7): A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a…