CVE-2026-48069

Public on 2026-07-14
Modified on 2026-07-16
Description
A flaw was found in @grpc/grpc-js, a pure JavaScript gRPC client and server library. An invalid incoming compressed message can cause a client or server process to crash. This vulnerability affects all clients and servers that use @grpc/grpc-js, and no workaround is available. An unauthenticated remote attacker can exploit this to cause a denial of service by sending a malformed compressed message over a gRPC connection.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2023 grpc Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H