CVE-2026-48068

Public on 2026-07-14
Modified on 2026-07-16
Description
A flaw was found in @grpc/grpc-js, a pure JavaScript gRPC client and server library. An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This vulnerability affects all servers created using @grpc/grpc-js, and no workaround is available. An unauthenticated remote attacker can exploit this to cause a denial of service by sending a malformed HTTP/2 stream to a gRPC server.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2023 grpc Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H