Multiple @grpc/grpc-js Vulnerabilities Cause Process Termination

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the @grpc/grpc-js Node.js client library, affecting versions prior to 1.9.16 and specific ranges up to 1.14.3. The issues manifest as denial‑of‑service conditions: a malformed HTTP/2 stream initiation can crash a server, and a malformed compressed message can crash both client and server processes. These flaws allow an unauthenticated remote attacker to send crafted gRPC traffic that forces the target application to terminate unexpectedly. The business risk includes service outages, loss of availability, and potential breach of service‑level agreements, leading to reputational damage and financial impact.[emaillocker id="1283"]

• CVE-2026-48068 with a CVSS score of 7.5 – A crafted HTTP/2 stream initiation can trigger an out‑of‑bounds condition that crashes the server process; an unauthenticated attacker only needs network access to the vulnerable gRPC endpoint.
• CVE-2026-48069 with a CVSS score of 7.5 – A specially crafted compressed gRPC message can cause the client or server process to abort; exploitation requires the ability to send malformed compressed payloads, which does not require prior authentication.

Both vulnerabilities enable denial‑of‑service attacks that can bring critical services offline with minimal effort. Organizations should treat these findings as high priority because unplanned outages can breach SLAs, erode customer trust, and incur direct revenue loss. Immediate attention is required to prevent service disruption.

RECOMMENDATION:

• We recommend you to update npm/@grpc/grpc-js to version 1.9.16 or 1.10.12 or 1.11.4 or 1.12.7 or 1.13.5 or 1.14.4.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-5375-pq7m-f5r2
https://github.com/advisories/GHSA-99f4-grh7-6pcq