GHSA-99f4-grh7-6pcq

Source

https://github.com/advisories/GHSA-99f4-grh7-6pcq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-99f4-grh7-6pcq/GHSA-99f4-grh7-6pcq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-99f4-grh7-6pcq

Aliases

CVE-2026-48069

Downstream

MINI-4gvc-2vwp-722p

MINI-4jhq-m3gv-p8r4

MINI-6h3m-7mpm-gqhv

MINI-v4vm-cx8r-2qf5

Related

CGA-w7p7-2rq5-8x24

Published

2026-06-11T13:27:44Z

Modified

2026-06-12T06:14:22.725733339Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash

Details

Impact

An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js

Patches

The following version have fixes for this vulnerability:

1.9.16
1.10.12
1.11.4
1.12.7
1.13.5
1.14.4

Workarounds

There is no workaround.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-248",
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T13:27:44Z"
}

References

Affected packages

npm

@grpc/grpc-js

Package

Name: @grpc/grpc-js; View open source insights on deps.dev
Purl: pkg:npm/%40grpc%2Fgrpc-js

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-99f4-grh7-6pcq/GHSA-99f4-grh7-6pcq.json"

@grpc/grpc-js

Package

Name: @grpc/grpc-js; View open source insights on deps.dev
Purl: pkg:npm/%40grpc%2Fgrpc-js

Affected ranges

Type: SEMVER
Events: Introduced

1.10.0

Fixed

1.10.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-99f4-grh7-6pcq/GHSA-99f4-grh7-6pcq.json"

@grpc/grpc-js

Package

Name: @grpc/grpc-js; View open source insights on deps.dev
Purl: pkg:npm/%40grpc%2Fgrpc-js

Affected ranges

Type: SEMVER
Events: Introduced

1.11.0

Fixed

1.11.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-99f4-grh7-6pcq/GHSA-99f4-grh7-6pcq.json"

@grpc/grpc-js

Package

Name: @grpc/grpc-js; View open source insights on deps.dev
Purl: pkg:npm/%40grpc%2Fgrpc-js

Affected ranges

Type: SEMVER
Events: Introduced

1.12.0

Fixed

1.12.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-99f4-grh7-6pcq/GHSA-99f4-grh7-6pcq.json"

@grpc/grpc-js

Package

Name: @grpc/grpc-js; View open source insights on deps.dev
Purl: pkg:npm/%40grpc%2Fgrpc-js

Affected ranges

Type: SEMVER
Events: Introduced

1.13.0

Fixed

1.13.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-99f4-grh7-6pcq/GHSA-99f4-grh7-6pcq.json"

@grpc/grpc-js

Package

Name: @grpc/grpc-js; View open source insights on deps.dev
Purl: pkg:npm/%40grpc%2Fgrpc-js

Affected ranges

Type: SEMVER
Events: Introduced

1.14.0

Fixed

1.14.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-99f4-grh7-6pcq/GHSA-99f4-grh7-6pcq.json"