Home

Description

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.

PUBLISHED Reserved 2026-05-20 | Published 2026-07-14 | Updated 2026-07-14 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-248: Uncaught Exception

Product status

< 1.9.16
affected

>= 1.10.0, < 1.10.12
affected

>= 1.11.0, < 1.11.4
affected

>= 1.12.0, < 1.12.7
affected

>= 1.13.0, < 1.13.5
affected

>= 1.14.0, < 1.14.4
affected

References

github.com/...c-node/security/advisories/GHSA-99f4-grh7-6pcq

github.com/...ommit/2375eadcc52ca2b1ef55288bcd6355168b02706c

github.com/...ommit/2fe55fd76a8bb59eaab5f39e3552b5f84985a163

github.com/...ommit/4091bd902105f8fb655741758aee71418c48b5d5

github.com/...ommit/b3f16094473b5c8f38b0955eafa4a19507127346

github.com/...ommit/b61c4d65953db85c2ae55b4b3cd98a4259dc87cb

github.com/...ommit/b6dcfc3cee9ef390e5869ebea5a8c5ae187720b9

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.10.12

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.11.4

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.12.7

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.13.5

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.14.4

github.com/grpc/grpc-node/releases/tag/@grpc/grpc-js@1.9.16

cve.org (CVE-2026-48069)

nvd.nist.gov (CVE-2026-48069)

Download JSON