@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48069.json",
"cwe_ids": [
"CWE-248"
],
"cna_assigner": "GitHub_M"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.9.16"
},
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.12"
},
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.4"
},
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.7"
},
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.5"
},
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.4"
}
],
"source": [
"AFFECTED_FIELD",
"REFERENCES"
]
}