GHSA-5375-pq7m-f5r2HighCVSS 7.5

@grpc/grpc-js: A malformed request can cause a server crash

Published
June 11, 2026
Last Modified
June 11, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.

Patches

The following version have fixes for this vulnerability:

  • 1.9.16
  • 1.10.12
  • 1.11.4
  • 1.12.7
  • 1.13.5
  • 1.14.4

Workarounds

There is no workaround.

🎯 Affected products6

  • npm/@grpc/grpc-js:< 1.9.16
  • npm/@grpc/grpc-js:>= 1.10.0, < 1.10.12
  • npm/@grpc/grpc-js:>= 1.11.0, < 1.11.4
  • npm/@grpc/grpc-js:>= 1.12.0, < 1.12.7
  • npm/@grpc/grpc-js:>= 1.13.0, < 1.13.5
  • npm/@grpc/grpc-js:>= 1.14.0, < 1.14.4

🔗 References (8)