Home

Description

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.

PUBLISHED Reserved 2026-05-20 | Published 2026-07-14 | Updated 2026-07-14 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-248: Uncaught Exception

Product status

< 1.9.16
affected

>= 1.11.0, < 1.11.4
affected

>= 1.12.0, < 1.12.7
affected

>= 1.13.0, < 1.13.5
affected

>= 1.14.0, < 1.14.4
affected

>= 1.10.0, < 1.10.12
affected

References

github.com/...c-node/security/advisories/GHSA-5375-pq7m-f5r2

github.com/...ommit/058665a6c6dae445e2ab0f3f6259164fac52ee17

github.com/...ommit/1cf4bfa738b15e59cc3daf49ffa24c04f9b626f7

github.com/...ommit/234f9172b2ff35e586ca7d4e788557aad5985668

github.com/...ommit/455efce8acb7fb249652a74c1618a6d7daf1faba

github.com/...ommit/b1b7268f7b81b92c6f03f5128dfd871c08aeb903

github.com/...ommit/e2c035aab2fe5e55d46d5fc427481497314a53a4

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.10.12

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.11.4

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.12.7

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.13.5

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.14.4

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.9.16

cve.org (CVE-2026-48068)

nvd.nist.gov (CVE-2026-48068)

Download JSON