Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-8g29-8xwr-qmhr

@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

Published
Mar 25, 2026
Updated
Mar 25, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

@grackle-ai/servernpm
3Kdownloads / week

Description

Impact

JSON.parse(env.adapterConfig) is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler.

Additionally, the parsed result is cast as Record<string, unknown> and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised.

Affected code:

  • packages/server/src/grpc-service.ts:415reconnectOrProvision handler
  • packages/server/src/grpc-service.ts:482stopEnvironment handler
  • packages/server/src/grpc-service.ts:498destroyEnvironment handler

Patches

Fix: Wrap in try-catch and return a meaningful gRPC error:

let config: Record<string, unknown>;
try {
  config = JSON.parse(env.adapterConfig) as Record<string, unknown>;
} catch {
  throw new ConnectError("Invalid adapter configuration", Code.Internal);
}

Workarounds

Ensure database integrity. Back up the SQLite database regularly.

Resources

  • CWE-754: Improper Check for Unusual or Exceptional Conditions
  • File: packages/server/src/grpc-service.ts

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@grackle-ai/serverall versions0.70.6

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @grackle-ai/server. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @grackle-ai/server to 0.70.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8g29-8xwr-qmhr is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-8g29-8xwr-qmhr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-8g29-8xwr-qmhr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact `JSON.parse(env.adapterConfig)` is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler. Additionally, the parsed result is cast as `Record<string, unknown>` and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if the database is compromised. **Affected code:** - `packages/server/src/gr
O3 Security · Impact-Aware SCA

Is GHSA-8g29-8xwr-qmhr in your dependencies?

O3 detects GHSA-8g29-8xwr-qmhr across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works