{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.9.16"
              },
              {
                "introduced": "1.10.0"
              },
              {
                "fixed": "1.10.12"
              },
              {
                "introduced": "1.11.0"
              },
              {
                "fixed": "1.11.4"
              },
              {
                "introduced": "1.12.0"
              },
              {
                "fixed": "1.12.7"
              },
              {
                "introduced": "1.13.0"
              },
              {
                "fixed": "1.13.5"
              },
              {
                "introduced": "1.14.0"
              },
              {
                "fixed": "1.14.4"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "introduced": "190a72ecd09de91013137b67d8e9e1d6da2eb7c8"
            },
            {
              "introduced": "1b9b9897e34f1000ba5d2eba13a2193e2f6e696e"
            },
            {
              "introduced": "8d6b590adc8d027487bb72264751de2e27fab4cb"
            },
            {
              "introduced": "b003f82776e1839e568f40779df6f7cc9a77c8ba"
            },
            {
              "introduced": "7db315d094b737f105fd7265dd69ab6d2a7bb2a1"
            },
            {
              "fixed": "0acbec32a4fd6ca25b9135dfec3c03c8cafbbe25"
            },
            {
              "fixed": "2c99fbddc969c3f377297d400e7b5a320e5c5de2"
            },
            {
              "fixed": "3f6b0e3a3d301c0e9f6783023e8701e6bcccd794"
            },
            {
              "fixed": "49f700b8c3c875021c2862967349becc3e1769a0"
            },
            {
              "fixed": "d646ccd967b3e927f0ceb9291916049d8b1d3346"
            },
            {
              "fixed": "a380735ba9b0351214f2faa578350a559dd486ff"
            },
            {
              "fixed": "2375eadcc52ca2b1ef55288bcd6355168b02706c"
            },
            {
              "fixed": "2fe55fd76a8bb59eaab5f39e3552b5f84985a163"
            },
            {
              "fixed": "4091bd902105f8fb655741758aee71418c48b5d5"
            },
            {
              "fixed": "b3f16094473b5c8f38b0955eafa4a19507127346"
            },
            {
              "fixed": "b61c4d65953db85c2ae55b4b3cd98a4259dc87cb"
            },
            {
              "fixed": "b6dcfc3cee9ef390e5869ebea5a8c5ae187720b9"
            }
          ],
          "repo": "https://github.com/grpc/grpc-node",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-99f4-grh7-6pcq"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-248"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48069.json"
  },
  "details": "@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4.",
  "id": "CVE-2026-48069",
  "modified": "2026-07-17T03:41:58.419117529Z",
  "published": "2026-07-14T19:42:32.883Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48069.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-99f4-grh7-6pcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48069"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/2375eadcc52ca2b1ef55288bcd6355168b02706c"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/2fe55fd76a8bb59eaab5f39e3552b5f84985a163"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/4091bd902105f8fb655741758aee71418c48b5d5"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/b3f16094473b5c8f38b0955eafa4a19507127346"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/b61c4d65953db85c2ae55b4b3cd98a4259dc87cb"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grpc/grpc-node/commit/b6dcfc3cee9ef390e5869ebea5a8c5ae187720b9"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@grpc/grps-js: An incoming malformed compressed message can cause a client or server crash"
}