{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.9.16"
              },
              {
                "introduced": "1.11.0"
              },
              {
                "fixed": "1.11.4"
              },
              {
                "introduced": "1.12.0"
              },
              {
                "fixed": "1.12.7"
              },
              {
                "introduced": "1.13.0"
              },
              {
                "fixed": "1.13.5"
              },
              {
                "introduced": "1.14.0"
              },
              {
                "fixed": "1.14.4"
              },
              {
                "introduced": "1.10.0"
              },
              {
                "fixed": "1.10.12"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "introduced": "1b9b9897e34f1000ba5d2eba13a2193e2f6e696e"
            },
            {
              "introduced": "8d6b590adc8d027487bb72264751de2e27fab4cb"
            },
            {
              "introduced": "b003f82776e1839e568f40779df6f7cc9a77c8ba"
            },
            {
              "introduced": "7db315d094b737f105fd7265dd69ab6d2a7bb2a1"
            },
            {
              "introduced": "190a72ecd09de91013137b67d8e9e1d6da2eb7c8"
            },
            {
              "fixed": "0acbec32a4fd6ca25b9135dfec3c03c8cafbbe25"
            },
            {
              "fixed": "3f6b0e3a3d301c0e9f6783023e8701e6bcccd794"
            },
            {
              "fixed": "49f700b8c3c875021c2862967349becc3e1769a0"
            },
            {
              "fixed": "d646ccd967b3e927f0ceb9291916049d8b1d3346"
            },
            {
              "fixed": "a380735ba9b0351214f2faa578350a559dd486ff"
            },
            {
              "fixed": "2c99fbddc969c3f377297d400e7b5a320e5c5de2"
            },
            {
              "fixed": "058665a6c6dae445e2ab0f3f6259164fac52ee17"
            },
            {
              "fixed": "1cf4bfa738b15e59cc3daf49ffa24c04f9b626f7"
            },
            {
              "fixed": "234f9172b2ff35e586ca7d4e788557aad5985668"
            },
            {
              "fixed": "455efce8acb7fb249652a74c1618a6d7daf1faba"
            },
            {
              "fixed": "b1b7268f7b81b92c6f03f5128dfd871c08aeb903"
            },
            {
              "fixed": "e2c035aab2fe5e55d46d5fc427481497314a53a4"
            }
          ],
          "repo": "https://github.com/grpc/grpc-node",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-5375-pq7m-f5r2"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-248"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48068.json"
  },
  "details": "@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.",
  "id": "CVE-2026-48068",
  "modified": "2026-07-17T03:42:07.423343831Z",
  "published": "2026-07-14T19:39:42.607Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48068.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48068"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/058665a6c6dae445e2ab0f3f6259164fac52ee17"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/1cf4bfa738b15e59cc3daf49ffa24c04f9b626f7"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/234f9172b2ff35e586ca7d4e788557aad5985668"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/455efce8acb7fb249652a74c1618a6d7daf1faba"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/b1b7268f7b81b92c6f03f5128dfd871c08aeb903"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/e2c035aab2fe5e55d46d5fc427481497314a53a4"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@grpc/grps-js: A malformed request can cause a server crash"
}