GHSA-8g29-8xwr-qmhr: @grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling
Summary
A vulnerability in the @grackle-ai/server package fails to handle errors when parsing JSON configuration data in three locations within its gRPC service (a remote procedure call system for inter-process communication). If the underlying SQLite database becomes corrupted or enters an unexpected state, the code could crash without gracefully reporting an error, and the unvalidated parsed data could theoretically be exploited if the database is compromised.
Solution / Mitigation
Wrap the JSON.parse() calls in try-catch blocks to handle errors gracefully. The source provides this exact fix: 'let config: Record<string, unknown>; try { config = JSON.parse(env.adapterConfig) as Record<string, unknown>; } catch { throw new ConnectError("Invalid adapter configuration", Code.Internal); }' Apply this pattern to all three affected locations in packages/server/src/grpc-service.ts (lines 415, 482, and 498).
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://github.com/advisories/GHSA-8g29-8xwr-qmhr
First tracked: March 25, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 75%