CVE-2026-48069
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7,
CVSS
7.5
Alto
EPSS
0.6%
p46
KEV
—
Exploit Today
14
0-100
Publicado: 14 jul 2026 · Última mod.: 15 jul 2026 · CWE-248
0.6%EPSS · 30 días0.6%
2026-07-152026-07-16
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.
- github.comhttps://github.com/grpc/grpc-node/commit/2375eadcc52ca2b1ef55288bcd6355168b02706c
- github.comhttps://github.com/grpc/grpc-node/commit/2fe55fd76a8bb59eaab5f39e3552b5f84985a163
- github.comhttps://github.com/grpc/grpc-node/commit/4091bd902105f8fb655741758aee71418c48b5d5
- github.comhttps://github.com/grpc/grpc-node/commit/b3f16094473b5c8f38b0955eafa4a19507127346
- github.comhttps://github.com/grpc/grpc-node/commit/b61c4d65953db85c2ae55b4b3cd98a4259dc87cb
- github.comhttps://github.com/grpc/grpc-node/commit/b6dcfc3cee9ef390e5869ebea5a8c5ae187720b9
- github.comhttps://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12
- github.comhttps://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4
- github.comhttps://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7
- github.comhttps://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5
- github.comhttps://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4
- github.comhttps://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16
- github.comhttps://github.com/grpc/grpc-node/security/advisories/GHSA-99f4-grh7-6pcq
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-594657.5 ALT88.7%
——27A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```2dCVE-2026-503287.5 ALT64.8%
——19Uncaught exception in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.2dCVE-2026-22297.5 ALT54.9%
——16ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process2dCVE-2026-349867.5 ALT47.1%
——14Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.15hCVE-2026-480687.5 ALT45.9%
——14@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.1dCVE-2026-339397.5 ALT45.5%
——14Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.2d