CVE-2026-48069

Summary

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.

Affected Software

VendorProductVersion RangeStatus
grpcgrpc-node< 1.9.16affected
grpcgrpc-node>= 1.10.0, < 1.10.12affected
grpcgrpc-node>= 1.11.0, < 1.11.4affected
grpcgrpc-node>= 1.12.0, < 1.12.7affected
grpcgrpc-node>= 1.13.0, < 1.13.5affected
grpcgrpc-node>= 1.14.0, < 1.14.4affected

Weaknesses

  • CWE-248: CWE-248: Uncaught Exception

References