Skip to main content

@grpc/grpc-js EUVDEUVD-2026-44405

| CVE-2026-48068 HIGH
Uncaught Exception (CWE-248)
2026-06-11 https://github.com/grpc/grpc-node GHSA-5375-pq7m-f5r2
7.5
CVSS 3.1 · Vendor: https://github.com/grpc/grpc-node
Share

Severity by source

Vendor (https://github.com/grpc/grpc-node) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote network reach, low complexity, no auth or user interaction needed; impact is process crash so availability-only with no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/grpc/grpc-node).

CVSS VectorVendor: https://github.com/grpc/grpc-node

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 13:55 vuln.today
Analysis Generated
Jun 11, 2026 - 13:55 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 npm packages depend on @grpc/grpc-js (11 direct, 6 indirect)

Ecosystem-wide dependent count for version 1.10.0.

DescriptionCVE.org

Impact

An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.

Patches

The following version have fixes for this vulnerability:

  • 1.9.16
  • 1.10.12
  • 1.11.4
  • 1.12.7
  • 1.13.5
  • 1.14.4

Workarounds

There is no workaround.

AnalysisAI

Remote denial of service in @grpc/grpc-js (the official gRPC library for Node.js) allows unauthenticated network attackers to crash any server process by sending a malformed HTTP/2 stream initiation frame. The flaw stems from an uncaught exception (CWE-248) triggered during stream setup, affecting all server applications built on this widely-used npm package across multiple release branches (1.9.x through 1.14.x). No public exploit identified at time of analysis, but the trivial attack complexity and absence of any workaround make patching the only mitigation.

Technical ContextAI

The @grpc/grpc-js package is the pure-JavaScript implementation of gRPC for Node.js, distributed via npm as @grpc/grpc-js and used by a large portion of the Node ecosystem for microservice RPC. gRPC layers on top of HTTP/2, and this vulnerability lives in the server-side HTTP/2 stream initiation path: when an invalid frame opens a new stream, the resulting error propagates uncaught and terminates the Node.js process. This is a textbook CWE-248 (Uncaught Exception) issue, which in Node is especially severe because an unhandled exception in an HTTP/2 callback bypasses normal request-scoped error handling and crashes the entire event loop, taking down every concurrent connection on that server.

RemediationAI

Vendor-released patches are available; upgrade @grpc/grpc-js to one of the fixed versions appropriate to your release branch: 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, or 1.14.4 (see release notes such as https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12 and the advisory at https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2). The maintainers explicitly state there is no workaround, so patching is mandatory; as compensating controls until the upgrade can be rolled out, restrict network reachability of gRPC ports (typically 50051 or whatever ports your services bind) to known client CIDRs via firewall or service mesh policy, place the server behind an HTTP/2-aware reverse proxy or API gateway that validates stream initiation frames before forwarding, and ensure a process supervisor (systemd, Kubernetes liveness probe, PM2) immediately restarts the Node process on crash to limit downtime - accepting that this still leaves a trivially-triggered DoS window with each malformed packet.

Share

EUVD-2026-44405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy