Information Disclosure via createInsecure() Disabling TLS in gRPC Client/Server

High Risk Network & Transport Security
javascriptgrpctlsinsecureplaintextnodejs

What it is

Information disclosure could occur via man-in-the-middle; attackers can read or modify RPC data, steal credentials, and impersonate services over plaintext connections.

Why it happens

Using grpc.credentials.createInsecure() instead of SSL credentials, sending data over plaintext.

Root causes

createInsecure() in Production

Using grpc.credentials.createInsecure() instead of SSL credentials, sending data over plaintext.

Local Development Settings

Using insecure connections during development and forgetting to switch to secure credentials for production.

Service Mesh Assumption

Assuming service mesh handles encryption and using insecure gRPC without verifying mesh configuration.

Fixes

1

Use SSL/TLS Credentials

Replace createInsecure() with createSsl() using proper TLS certificates for both client and server.

2

Enable Mutual TLS

Implement mutual TLS (mTLS) authentication by providing both client and server certificates.

3

Environment-Based Configuration

Use environment variables to configure credentials, preventing accidental insecure usage in production.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure via createinsecure() disabling tls in grpc client/server and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities