Skip to main content

@grpc/grpc-js CVE-2026-48069

| EUVDEUVD-2026-44409 HIGH
Uncaught Exception (CWE-248)
2026-06-11 https://github.com/grpc/grpc-node GHSA-99f4-grh7-6pcq
7.5
CVSS 3.1 · Vendor: https://github.com/grpc/grpc-node
Share

Severity by source

Vendor (https://github.com/grpc/grpc-node) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable gRPC endpoint, single malformed frame triggers crash with no auth or interaction; impact is availability-only with no confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/grpc/grpc-node).

CVSS VectorVendor: https://github.com/grpc/grpc-node

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 13:54 vuln.today
Analysis Generated
Jun 11, 2026 - 13:54 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 npm packages depend on @grpc/grpc-js (11 direct, 6 indirect)

Ecosystem-wide dependent count for version 1.10.0.

DescriptionCVE.org

Impact

An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js

Patches

The following version have fixes for this vulnerability:

  • 1.9.16
  • 1.10.12
  • 1.11.4
  • 1.12.7
  • 1.13.5
  • 1.14.4

Workarounds

There is no workaround.

AnalysisAI

Denial of service in the @grpc/grpc-js Node.js library allows remote attackers to crash any client or server process by sending an invalid compressed gRPC message. The flaw affects all versions prior to the fixed releases (1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4) and is exploitable over the network without authentication. No public exploit identified at time of analysis, and the vendor states there is no workaround other than upgrading.

Technical ContextAI

@grpc/grpc-js is the pure-JavaScript implementation of gRPC for Node.js, distributed via the npm package @grpc/grpc-js and widely embedded in microservice frameworks and serverless backends. The vulnerability falls under CWE-248 (Uncaught Exception): the decompression code path for incoming gRPC messages does not handle malformed compressed payloads safely, allowing an unhandled exception to propagate and terminate the Node.js process. Because gRPC bidirectional streams permit either party to send compressed frames, both client and server roles instantiated from this library are equally exposed.

RemediationAI

Vendor-released patch: upgrade @grpc/grpc-js to one of 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, or 1.14.4 depending on the minor line currently in use, as published in the release notes at https://github.com/grpc/grpc-node/releases (e.g. tag @grpc/grpc-js@1.10.12). The maintainer explicitly states there is no workaround, so transitive dependencies must also be bumped - audit with npm ls @grpc/grpc-js and override pinned versions via npm overrides or yarn resolutions where direct upgrades are blocked. As compensating controls until patching completes, restrict gRPC endpoints to authenticated peers via mTLS so only trusted clients can send frames (trade-off: does not protect against compromised or malicious internal clients), and front public gRPC services with a proxy such as Envoy that performs gRPC frame validation before forwarding (trade-off: adds latency and operational complexity and may not catch every malformed compression payload). Disabling gRPC compression negotiation on the server side may reduce exposure if your application can tolerate the bandwidth cost.

Share

CVE-2026-48069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy