{"id":"CVE-2026-48069","summary":"@grpc/grps-js: An incoming malformed compressed message can cause a client or server crash","details":"@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.","aliases":["GHSA-99f4-grh7-6pcq"],"modified":"2026-07-16T03:48:35.644979882Z","published":"2026-07-14T19:42:32.883Z","related":["CGA-w7p7-2rq5-8x24"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48069.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-248"]},"references":[{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"},{"type":"WEB","url":"https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48069.json"},{"type":"ADVISORY","url":"https://github.com/grpc/grpc-node/security/advisories/GHSA-99f4-grh7-6pcq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48069"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/2375eadcc52ca2b1ef55288bcd6355168b02706c"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/2fe55fd76a8bb59eaab5f39e3552b5f84985a163"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/4091bd902105f8fb655741758aee71418c48b5d5"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/b3f16094473b5c8f38b0955eafa4a19507127346"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/b61c4d65953db85c2ae55b4b3cd98a4259dc87cb"},{"type":"FIX","url":"https://github.com/grpc/grpc-node/commit/b6dcfc3cee9ef390e5869ebea5a8c5ae187720b9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/grpc/grpc-node","events":[{"introduced":"0"},{"introduced":"190a72ecd09de91013137b67d8e9e1d6da2eb7c8"},{"introduced":"1b9b9897e34f1000ba5d2eba13a2193e2f6e696e"},{"introduced":"8d6b590adc8d027487bb72264751de2e27fab4cb"},{"introduced":"b003f82776e1839e568f40779df6f7cc9a77c8ba"},{"introduced":"7db315d094b737f105fd7265dd69ab6d2a7bb2a1"},{"fixed":"0acbec32a4fd6ca25b9135dfec3c03c8cafbbe25"},{"fixed":"2c99fbddc969c3f377297d400e7b5a320e5c5de2"},{"fixed":"3f6b0e3a3d301c0e9f6783023e8701e6bcccd794"},{"fixed":"49f700b8c3c875021c2862967349becc3e1769a0"},{"fixed":"d646ccd967b3e927f0ceb9291916049d8b1d3346"},{"fixed":"a380735ba9b0351214f2faa578350a559dd486ff"},{"fixed":"2375eadcc52ca2b1ef55288bcd6355168b02706c"},{"fixed":"2fe55fd76a8bb59eaab5f39e3552b5f84985a163"},{"fixed":"4091bd902105f8fb655741758aee71418c48b5d5"},{"fixed":"b3f16094473b5c8f38b0955eafa4a19507127346"},{"fixed":"b61c4d65953db85c2ae55b4b3cd98a4259dc87cb"},{"fixed":"b6dcfc3cee9ef390e5869ebea5a8c5ae187720b9"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.9.16"},{"introduced":"1.10.0"},{"fixed":"1.10.12"},{"introduced":"1.11.0"},{"fixed":"1.11.4"},{"introduced":"1.12.0"},{"fixed":"1.12.7"},{"introduced":"1.13.0"},{"fixed":"1.13.5"},{"introduced":"1.14.0"},{"fixed":"1.14.4"}]}}],"versions":["@grpc/grpc-js@1.14.3","@grpc/grpc-js@1.14.2","@grpc/grpc-js@1.14.1","@grpc/grpc-js@1.14.0","@grpc/grpc-js-xds@1.14.0","grpc-health-check@2.1.0","@grpc/grpc-js-xds@1.12.2","@grpc/grpc-js@1.13.4","@grpc/grpc-js@1.13.3","@grpc/proto-loader@0.7.15","@grpc/proto-loader@0.7.14","@grpc/grpc-js@1.13.2","@grpc/grpc-js@1.13.1","@grpc/grpc-js@1.13.0","@grpc/grpc-js-xds@1.13.0","grpc-tool@1.13.0","@grpc/grpc-js@1.12.6","@grpc/grpc-js-xds@1.12.1","@grpc/grpc-js@1.10.11","@grpc/grpc-js@1.12.5","@grpc/grpc-js@1.12.4","@grpc/grpc-js@1.12.3","@grpc/grpc-js@1.9.15","@grpc/grpc-js@1.11.3","@grpc/grpc-js@1.12.2","@grpc/grpc-js@1.12.1","@grpc/grpc-js@1.12.0","@grpc/grpc-js-xds@1.12.0","@grpc/grpc-js@1.11.2","@grpc/grpc-js@1.11.1","@grpc/grpc-js@1.11.0","@grpc/grpc-js-xds@1.11.0","@grpc/grpc-js@1.10.10","@grpc/reflection@1.0.3","@grpc/grpc-js@1.10.9","@grpc/grpc-js@1.10.8","@grpc/grpc-js@1.10.7","@grpc/grpc-js-xds@1.10.1","grpc-health-check@2.0.2","@grpc/reflection@1.0.4","@grpc/proto-loader@0.7.13","@grpc/grpc-js@1.9.14","@grpc/grpc-js@1.10.6","@grpc/grpc-js@1.10.5","@grpc/proto-loader@0.7.12","@grpc/proto-loader@0.7.11","@grpc/grpc-js@1.10.4","@grpc/grpc-js@1.10.3","@grpc/grpc-js@1.10.2","@grpc/reflection@1.0.2","@grpc/grpc-js@1.10.1","@grpc/grpc-js@1.10.0","@grpc/grpc-js-xds@1.10.0","grpc-health-check@2.0.1","@grpc/grpc-js@1.9.0","@grpc/grpc-js-xds@1.9.0","@grpc/grpc-js@1.9.13","@grpc/reflection@1.0.1","@grpc/reflection@1.0.0","@grpc/grpc-js@1.9.12","@grpc/grpc-js@1.9.11","@grpc/grpc-js@1.9.10","@grpc/grpc-js@1.9.9","@grpc/grpc-js@1.9.8","@grpc/grpc-js@1.9.7","@grpc/grpc-js@1.9.6","@grpc/grpc-js@1.9.5","@grpc/grpc-js@1.9.4","grpc-health-check@2.0.0","@grpc/grpc-js-xds@1.9.2","@grpc/grpc-js-xds@1.9.1","@grpc/proto-loader@0.7.10","@grpc/grpc-js@1.9.3","@grpc/grpc-js@1.9.2","@grpc/proto-loader@0.7.9","@grpc/grpc-js@1.9.1","@grpc/proto-loader@0.7.7","@grpc/proto-loader@0.7.6","@grpc/proto-loader@0.7.5","grpc-tools@1.12.4","grpc-tools@1.12.0","grpc-tools@1.12.3","@grpc/grpc-js@1.8.0","@grpc/grpc-js-xds@1.8.0","@grpc/proto-loader@0.7.4","grpc-tools@1.12.2","grpc-tools@1.12.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48069.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}