Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable gRPC endpoint, single malformed frame triggers crash with no auth or interaction; impact is availability-only with no confidentiality or integrity loss.
Primary rating from Vendor (https://github.com/grpc/grpc-node).
CVSS VectorVendor: https://github.com/grpc/grpc-node
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 17 npm packages depend on @grpc/grpc-js (11 direct, 6 indirect)
Ecosystem-wide dependent count for version 1.10.0.
DescriptionCVE.org
Impact
An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js
Patches
The following version have fixes for this vulnerability:
- 1.9.16
- 1.10.12
- 1.11.4
- 1.12.7
- 1.13.5
- 1.14.4
Workarounds
There is no workaround.
AnalysisAI
Denial of service in the @grpc/grpc-js Node.js library allows remote attackers to crash any client or server process by sending an invalid compressed gRPC message. The flaw affects all versions prior to the fixed releases (1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4) and is exploitable over the network without authentication. No public exploit identified at time of analysis, and the vendor states there is no workaround other than upgrading.
Technical ContextAI
@grpc/grpc-js is the pure-JavaScript implementation of gRPC for Node.js, distributed via the npm package @grpc/grpc-js and widely embedded in microservice frameworks and serverless backends. The vulnerability falls under CWE-248 (Uncaught Exception): the decompression code path for incoming gRPC messages does not handle malformed compressed payloads safely, allowing an unhandled exception to propagate and terminate the Node.js process. Because gRPC bidirectional streams permit either party to send compressed frames, both client and server roles instantiated from this library are equally exposed.
RemediationAI
Vendor-released patch: upgrade @grpc/grpc-js to one of 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, or 1.14.4 depending on the minor line currently in use, as published in the release notes at https://github.com/grpc/grpc-node/releases (e.g. tag @grpc/grpc-js@1.10.12). The maintainer explicitly states there is no workaround, so transitive dependencies must also be bumped - audit with npm ls @grpc/grpc-js and override pinned versions via npm overrides or yarn resolutions where direct upgrades are blocked. As compensating controls until patching completes, restrict gRPC endpoints to authenticated peers via mTLS so only trusted clients can send frames (trade-off: does not protect against compromised or malicious internal clients), and front public gRPC services with a proxy such as Envoy that performs gRPC frame validation before forwarding (trade-off: adds latency and operational complexity and may not catch every malformed compression payload). Disabling gRPC compression negotiation on the server side may reduce exposure if your application can tolerate the bandwidth cost.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44409
GHSA-99f4-grh7-6pcq