CVE-2026-48069 - grpc-js malformed compressed message crash
@grpc/grpc-js had a denial-of-service issue where an invalid incoming
compressed message could crash either a client or server process. Unlike
CVE-2026-48068, this one is not server-only: any runtime that accepts
compressed gRPC messages on vulnerable branches can terminate.
There is no documented workaround beyond upgrading to a fixed branch release.
When to use it
- A Node service, worker, CLI, SDK, or gateway resolves a vulnerable
@grpc/grpc-jsbranch. - The repository ships gRPC clients, servers, or both, especially where compressed messages cross service, tenant, partner, or agent boundaries.
- Container images, vendor bundles, or generated dependency reports may lag behind package manifest updates.
- You need a bounded PR or triage note that upgrades every affected branch and documents runtime scope.
Inputs
- Node manifests, lockfiles, workspaces, package overrides, Dockerfiles, SBOMs, deployment manifests, vendor bundles, and generated dependency reports.
- gRPC client/server inventory, compression settings, peer trust boundaries, and runtime ownership.
- Available install, tests, startup checks, builds, image builds, deployment render, SBOM, and dependency/security scan commands.
Affected versions
- Vulnerable:
<1.9.16,>=1.10.0 <1.10.12,>=1.11.0 <1.11.4,>=1.12.0 <1.12.7,>=1.13.0 <1.13.5,>=1.14.0 <1.14.4 - Fixed:
1.9.16,1.10.12,1.11.4,1.12.7,1.13.5,1.14.4 - Affected surface: Node gRPC clients and servers using
@grpc/grpc-js
Indicator-of-exposure
- The repository depends on a vulnerable
@grpc/grpc-jsbranch. - It ships gRPC clients or servers that negotiate or accept compressed messages.
- Services are reachable by less-trusted peers, third-party integrations, or internal multitenant traffic.
Quick checks:
rg -n "@grpc/grpc-js|compression|grpc-encoding|grpc-accept-encoding|Server\\(|makeClientConstructor" .
npm ls @grpc/grpc-js
pnpm why @grpc/grpc-js
Windows:
rg -n "@grpc/grpc-js|compression|grpc-encoding|grpc-accept-encoding|Server\\(|makeClientConstructor" .
npm ls @grpc/grpc-js
pnpm why @grpc/grpc-js
Remediation strategy
- Upgrade every controlled
@grpc/grpc-jsruntime to a fixed branch release. - Refresh all locks, builds, images, and SBOMs that carry the dependency.
- Add dependency policy and tests so stale vulnerable branch releases cannot be reintroduced.
- Review both client and server deployments, not only server packages.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-48069 / GHSA-99f4-grh7-6pcq in `@grpc/grpc-js`.
Malformed compressed messages can crash vulnerable gRPC clients or servers.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades affected branches, refreshes
shipped artifacts, adds regression checks, and documents runtime scope, or
- TRIAGE.md if this repository does not control an affected gRPC runtime.
## Rules
- Scope only CVE-2026-48069 and directly related `@grpc/grpc-js` usage.
- Treat service credentials, production traffic, and traces as sensitive.
- Do not generate malformed compressed traffic against shared environments.
- Do not claim server-only remediation if the repository also ships clients.
- Do not auto-merge.
## Steps
1. Inventory every `@grpc/grpc-js` dependency, workspace, image, and deployment
target controlled by this repository.
2. Classify each runtime as client, server, or both, and note the resolved
branch version.
3. If the repository does not own an affected runtime, stop with `TRIAGE.md`
naming the owner and required fixed versions.
4. Upgrade each vulnerable branch to its fixed release and refresh locks,
builds, images, SBOMs, and dependency reports.
5. Add CI or policy checks that reject the vulnerable branch ranges.
6. Add safe regression coverage that checks the fixed version and successful
startup without sending malformed compressed messages.
7. Add a PR body section named `CVE-2026-48069 operator actions` covering:
- versions before and after;
- which clients and servers were in scope;
- which branch-specific fix was used;
- remaining external rollout targets;
- validation that passed.
8. Run available validation: dependency install, tests, builds, image builds,
deployment renders, and dependency/security scans.
9. Use PR title:
`fix(sec): remediate CVE-2026-48069 in grpc-js runtimes`.
## Stop conditions
- No affected gRPC client or server is controlled by this repository.
- The fixed release cannot be consumed without a broader runtime migration.
- Validation would require sending malformed compressed traffic to shared
environments.
- Validation fails for unrelated pre-existing reasons; document those failures.
Verification - what the reviewer looks for
- No controlled runtime resolves a vulnerable
@grpc/grpc-jsbranch. - Both client and server packages were evaluated where the dependency appears.
- CI or dependency policy prevents the vulnerable ranges from returning.
Output contract
- Reviewer-ready PR upgrading all controlled
@grpc/grpc-jsbranch releases to fixed versions and refreshing locks, builds, images, SBOMs, and reports. - CI or dependency policy checks that reject the vulnerable branch ranges.
- Operator notes naming affected clients and servers, branch-specific fixes, rollout targets, and validation commands.
TRIAGE.mdwhen the repository does not control the affected gRPC runtime or safe validation path.
Watch for
- Patching server code while CLI utilities, workers, or background clients still ship vulnerable versions.
- Assuming compression is irrelevant without checking default runtime behavior.
- Updating package manifests but not container images or vendor bundles.
Related recipes
- CVE-2026-48063 Baileys protocolMessage spoofing
- Vulnerable dependency remediation
- CVE intelligence intake gate
References
- GitHub Advisory: https://github.com/advisories/GHSA-99f4-grh7-6pcq
- Vendor advisory: https://github.com/grpc/grpc-node/security/advisories/GHSA-99f4-grh7-6pcq
- Fixed releases: https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4