GHSA-8g29-8xwr-qmhr: @grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling
Summary
A vulnerability in the @grackle-ai/server package fails to handle errors when parsing JSON configuration data in three locations within its gRPC service (a remote procedure call system for inter-process communication). If the underlying SQLite database becomes corrupted or enters an unexpected state, the code could crash without gracefully reporting an error, and the unvalidated parsed data could theoretically be exploited if the database is compromised.
Solution / Mitigation
Wrap the JSON.parse() calls in try-catch blocks to handle errors gracefully. The source provides this exact fix: 'let config: Record<string, unknown>; try { config = JSON.parse(env.adapterConfig) as Record<string, unknown>; } catch { throw new ConnectError("Invalid adapter configuration", Code.Internal); }' Apply this pattern to all three affected locations in packages/server/src/grpc-service.ts (lines 415, 482, and 498).
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-8g29-8xwr-qmhr
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%