CVE-2026-48068 - grpc-js malformed request server crash

@grpc/grpc-js had a denial-of-service issue where an invalid incoming HTTP/2 stream initiation could crash a server process. The flaw affects all Node gRPC servers on vulnerable branches and has no documented workaround beyond upgrading.

Because this is branch-based, the right fix is to move to the nearest patched release on the major/minor line you actually ship instead of assuming a single latest tag fits every deployment.

When to use it

Use this recipe when a Node.js service exposes a gRPC server using @grpc/grpc-js, especially internet-facing, partner-facing, or agent/tool control-plane APIs. It is aimed at source-code remediation, branch-aware dependency upgrades, malformed-request resilience, and audit evidence that invalid HTTP/2 stream initiation cannot crash the service process.

Inputs

  • @grpc/grpc-js version, package lockfiles, service inventory, exposed gRPC ports, load balancer/proxy settings, and runtime process manager.
  • Source/config paths for gRPC server startup, health checks, error handling, dependency constraints, and deployment images.
  • Non-exploit fixtures for fixed-version resolution, malformed-request handling in safe test environments, health recovery, and process supervision.
  • Boundary evidence: public/partner exposure, SLOs, crash telemetry, affected services, and rollout owner.

Affected versions

  • Vulnerable: <1.9.16, >=1.10.0 <1.10.12, >=1.11.0 <1.11.4, >=1.12.0 <1.12.7, >=1.13.0 <1.13.5, >=1.14.0 <1.14.4
  • Fixed: 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, 1.14.4
  • Affected surface: Node servers created with @grpc/grpc-js

Indicator-of-exposure

  • The repository depends on a vulnerable @grpc/grpc-js branch.
  • It runs Node gRPC servers reachable by other services, gateways, customers, or internet-adjacent traffic.
  • Process supervision restarts crashed services, masking repeated probe-driven availability loss.

Quick checks:

rg -n "@grpc/grpc-js|Server\\(|bindAsync|grpc\\.Server|proto-loader" .
npm ls @grpc/grpc-js
pnpm why @grpc/grpc-js

Windows:

rg -n "@grpc/grpc-js|Server\\(|bindAsync|grpc\\.Server|proto-loader" .
npm ls @grpc/grpc-js
pnpm why @grpc/grpc-js

Remediation strategy

  • Upgrade every controlled @grpc/grpc-js dependency to the patched release on its branch.
  • Rebuild images and refresh lockfiles anywhere gRPC servers are shipped.
  • Add tests or dependency policy that fail when vulnerable branch releases re-enter the tree.
  • Review exposed gRPC listeners, ingress, and internal mesh surfaces for stale deployments after the library bump.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-48068 / GHSA-5375-pq7m-f5r2 in `@grpc/grpc-js`.
Malformed HTTP/2 stream initiation can crash vulnerable Node gRPC servers.
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades affected branches, refreshes
  shipped artifacts, adds regression checks, and documents rollout scope, or
- TRIAGE.md if this repository does not control an affected gRPC server.

## Rules

- Scope only CVE-2026-48068 and directly related gRPC server dependencies.
- Treat service credentials, production endpoints, and traffic captures as
  sensitive.
- Do not send malformed requests to production-like endpoints.
- Do not disable gRPC listeners as the only fix unless an approved emergency
  containment already exists.
- Do not auto-merge.

## Steps

1. Inventory every `@grpc/grpc-js` dependency, workspace, image, and deployment
   target owned by this repository.
2. Determine which targets run gRPC servers and which vulnerable branch each
   one resolves.
3. If the repository only contains gRPC clients or indirect transitive usage,
   stop with `TRIAGE.md` and identify the owning server package or platform.
4. Upgrade each affected branch to its fixed release and refresh lockfiles,
   builds, images, SBOMs, and generated dependency reports.
5. Add dependency or CI checks that reject vulnerable branch ranges.
6. Add safe regression coverage that validates fixed versions and server startup
   without generating malformed traffic.
7. Add a PR body section named `CVE-2026-48068 operator actions` covering:
   - versions before and after;
   - which services expose gRPC servers;
   - which branch-specific fix was applied where;
   - remaining rollout targets outside this repo;
   - validation that passed.
8. Run available validation: dependency install, tests, builds, container
   builds, deployment renders, and dependency/security scans.
9. Use PR title:
   `fix(sec): remediate CVE-2026-48068 in grpc-js servers`.

## Stop conditions

- No affected gRPC server is controlled by this repository.
- The fixed branch release cannot be consumed without a broader runtime
  migration; document the constraint instead of force-upgrading.
- Validation would require sending malformed traffic to shared environments.
- Validation fails for unrelated pre-existing reasons; document those failures.

Output contract

  • A reviewer-ready PR or change request that upgrades @grpc/grpc-js on the shipped branch, refreshes lockfiles/images, adds safe crash-resilience tests, and documents rollout.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, gRPC exposure, branch-fixed target, required fix, and residual risk.
  • The output must include exact validation commands and must not crash production services, fuzz live endpoints, or expose request/customer data.

Verification - what the reviewer looks for

  • No controlled server build resolves a vulnerable @grpc/grpc-js branch.
  • Builds, images, and lockfiles all point to the intended patched releases.
  • CI or dependency policy prevents vulnerable branch versions from returning.

Watch for

  • Bumping one workspace while another image or function still pins an older branch.
  • Mistaking a gRPC client-only package for full server exposure, or vice versa.
  • Emergency restarts hiding the continued availability impact of stale nodes.

References