Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote network reach, low complexity, no auth or user interaction needed; impact is process crash so availability-only with no confidentiality or integrity effect.
Primary rating from Vendor (https://github.com/grpc/grpc-node).
CVSS VectorVendor: https://github.com/grpc/grpc-node
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 17 npm packages depend on @grpc/grpc-js (11 direct, 6 indirect)
Ecosystem-wide dependent count for version 1.10.0.
DescriptionCVE.org
Impact
An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.
Patches
The following version have fixes for this vulnerability:
- 1.9.16
- 1.10.12
- 1.11.4
- 1.12.7
- 1.13.5
- 1.14.4
Workarounds
There is no workaround.
AnalysisAI
Remote denial of service in @grpc/grpc-js (the official gRPC library for Node.js) allows unauthenticated network attackers to crash any server process by sending a malformed HTTP/2 stream initiation frame. The flaw stems from an uncaught exception (CWE-248) triggered during stream setup, affecting all server applications built on this widely-used npm package across multiple release branches (1.9.x through 1.14.x). No public exploit identified at time of analysis, but the trivial attack complexity and absence of any workaround make patching the only mitigation.
Technical ContextAI
The @grpc/grpc-js package is the pure-JavaScript implementation of gRPC for Node.js, distributed via npm as @grpc/grpc-js and used by a large portion of the Node ecosystem for microservice RPC. gRPC layers on top of HTTP/2, and this vulnerability lives in the server-side HTTP/2 stream initiation path: when an invalid frame opens a new stream, the resulting error propagates uncaught and terminates the Node.js process. This is a textbook CWE-248 (Uncaught Exception) issue, which in Node is especially severe because an unhandled exception in an HTTP/2 callback bypasses normal request-scoped error handling and crashes the entire event loop, taking down every concurrent connection on that server.
RemediationAI
Vendor-released patches are available; upgrade @grpc/grpc-js to one of the fixed versions appropriate to your release branch: 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, or 1.14.4 (see release notes such as https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12 and the advisory at https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2). The maintainers explicitly state there is no workaround, so patching is mandatory; as compensating controls until the upgrade can be rolled out, restrict network reachability of gRPC ports (typically 50051 or whatever ports your services bind) to known client CIDRs via firewall or service mesh policy, place the server behind an HTTP/2-aware reverse proxy or API gateway that validates stream initiation frames before forwarding, and ensure a process supervisor (systemd, Kubernetes liveness probe, PM2) immediately restarts the Node process on crash to limit downtime - accepting that this still leaves a trivially-triggered DoS window with each malformed packet.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44405
GHSA-5375-pq7m-f5r2