{"id":"CVE-2026-48068","summary":"@grpc/grps-js: A malformed request can cause a server crash","details":"@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.","aliases":["GHSA-5375-pq7m-f5r2"],"modified":"2026-07-17T03:42:07.423343831Z","published":"2026-07-14T19:39:42.607Z","related":["CGA-r78v-2m6w-5437"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48068.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-248"]},"references":[{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48068.json"},{"type":"ADVISORY","url":"https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48068"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/058665a6c6dae445e2ab0f3f6259164fac52ee17"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/1cf4bfa738b15e59cc3daf49ffa24c04f9b626f7"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/234f9172b2ff35e586ca7d4e788557aad5985668"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/455efce8acb7fb249652a74c1618a6d7daf1faba"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/b1b7268f7b81b92c6f03f5128dfd871c08aeb903"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/e2c035aab2fe5e55d46d5fc427481497314a53a4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grpc/grpc-node","events":[{"introduced":"0"},{"introduced":"1b9b9897e34f1000ba5d2eba13a2193e2f6e696e"},{"introduced":"8d6b590adc8d027487bb72264751de2e27fab4cb"},{"introduced":"b003f82776e1839e568f40779df6f7cc9a77c8ba"},{"introduced":"7db315d094b737f105fd7265dd69ab6d2a7bb2a1"},{"introduced":"190a72ecd09de91013137b67d8e9e1d6da2eb7c8"},{"fixed":"0acbec32a4fd6ca25b9135dfec3c03c8cafbbe25"},{"fixed":"3f6b0e3a3d301c0e9f6783023e8701e6bcccd794"},{"fixed":"49f700b8c3c875021c2862967349becc3e1769a0"},{"fixed":"d646ccd967b3e927f0ceb9291916049d8b1d3346"},{"fixed":"a380735ba9b0351214f2faa578350a559dd486ff"},{"fixed":"2c99fbddc969c3f377297d400e7b5a320e5c5de2"},{"fixed":"058665a6c6dae445e2ab0f3f6259164fac52ee17"},{"fixed":"1cf4bfa738b15e59cc3daf49ffa24c04f9b626f7"},{"fixed":"234f9172b2ff35e586ca7d4e788557aad5985668"},{"fixed":"455efce8acb7fb249652a74c1618a6d7daf1faba"},{"fixed":"b1b7268f7b81b92c6f03f5128dfd871c08aeb903"},{"fixed":"e2c035aab2fe5e55d46d5fc427481497314a53a4"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.9.16"},{"introduced":"1.11.0"},{"fixed":"1.11.4"},{"introduced":"1.12.0"},{"fixed":"1.12.7"},{"introduced":"1.13.0"},{"fixed":"1.13.5"},{"introduced":"1.14.0"},{"fixed":"1.14.4"},{"introduced":"1.10.0"},{"fixed":"1.10.12"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["@grpc/grpc-js@1.14.3","@grpc/grpc-js@1.14.2","@grpc/grpc-js@1.14.1","@grpc/grpc-js@1.14.0","@grpc/grpc-js-xds@1.14.0","grpc-health-check@2.1.0","@grpc/grpc-js-xds@1.12.2","@grpc/grpc-js@1.13.4","@grpc/grpc-js@1.13.3","@grpc/proto-loader@0.7.15","@grpc/proto-loader@0.7.14","@grpc/grpc-js@1.13.2","@grpc/grpc-js@1.13.1","@grpc/grpc-js@1.13.0","@grpc/grpc-js-xds@1.13.0","grpc-tool@1.13.0","@grpc/grpc-js@1.12.6","@grpc/grpc-js-xds@1.12.1","@grpc/grpc-js@1.10.11","@grpc/grpc-js@1.12.5","@grpc/grpc-js@1.12.4","@grpc/grpc-js@1.12.3","@grpc/grpc-js@1.9.15","@grpc/grpc-js@1.11.3","@grpc/grpc-js@1.12.2","@grpc/grpc-js@1.12.1","@grpc/grpc-js@1.12.0","@grpc/grpc-js-xds@1.12.0","@grpc/grpc-js@1.11.2","@grpc/grpc-js@1.11.1","@grpc/grpc-js@1.11.0","@grpc/grpc-js-xds@1.11.0","@grpc/grpc-js@1.10.10","@grpc/reflection@1.0.3","@grpc/grpc-js@1.10.9","@grpc/grpc-js@1.10.8","@grpc/grpc-js@1.10.7","@grpc/grpc-js-xds@1.10.1","grpc-health-check@2.0.2","@grpc/reflection@1.0.4","@grpc/proto-loader@0.7.13","@grpc/grpc-js@1.9.14","@grpc/grpc-js@1.10.6","@grpc/grpc-js@1.10.5","@grpc/proto-loader@0.7.12","@grpc/proto-loader@0.7.11","@grpc/grpc-js@1.10.4","@grpc/grpc-js@1.10.3","@grpc/grpc-js@1.10.2","@grpc/reflection@1.0.2","@grpc/grpc-js@1.10.1","@grpc/grpc-js@1.10.0","@grpc/grpc-js-xds@1.10.0","grpc-health-check@2.0.1","@grpc/grpc-js@1.9.0","@grpc/grpc-js-xds@1.9.0","@grpc/grpc-js@1.9.13","@grpc/reflection@1.0.1","@grpc/reflection@1.0.0","@grpc/grpc-js@1.9.12","@grpc/grpc-js@1.9.11","@grpc/grpc-js@1.9.10","@grpc/grpc-js@1.9.9","@grpc/grpc-js@1.9.8","@grpc/grpc-js@1.9.7","@grpc/grpc-js@1.9.6","@grpc/grpc-js@1.9.5","@grpc/grpc-js@1.9.4","grpc-health-check@2.0.0","@grpc/grpc-js-xds@1.9.2","@grpc/grpc-js-xds@1.9.1","@grpc/proto-loader@0.7.10","@grpc/grpc-js@1.9.3","@grpc/grpc-js@1.9.2","@grpc/proto-loader@0.7.9","@grpc/grpc-js@1.9.1","@grpc/proto-loader@0.7.7","@grpc/proto-loader@0.7.6","@grpc/proto-loader@0.7.5","grpc-tools@1.12.4","grpc-tools@1.12.0","grpc-tools@1.12.3","@grpc/grpc-js@1.8.0","@grpc/grpc-js-xds@1.8.0","@grpc/proto-loader@0.7.4","grpc-tools@1.12.2","grpc-tools@1.12.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48068.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}