@grpc/grpc-js: A malformed request can cause a server crash

Vulnerability

The vulnerability resides in the HTTP/2 stream handling of the @grpc/grpc-js library. An attacker can send a specially crafted, invalid HTTP/2 stream initiation request that causes the server process to crash. All servers created using @grpc/grpc-js are affected. The following versions contain the fix: 1.9.16 [2], 1.10.12, 1.11.4 [1], 1.12.7 [4], 1.13.5, and 1.14.4 [3].

Exploitation

An attacker needs network access to the gRPC server and the ability to send HTTP/2 frames. No authentication or prior knowledge is required. By sending a malformed stream initiation (e.g., a HEADERS frame with invalid flags or stream identifier), the attacker triggers a crash in the server process. The exact sequence involves crafting an HTTP/2 frame that violates the protocol specification in a way that the library does not handle gracefully.

Impact

Successful exploitation results in a denial of service (DoS) by crashing the server process. The crash terminates all active connections and disrupts service availability. No data confidentiality or integrity is compromised, but the service becomes unavailable until restarted.

Mitigation

The vulnerability is patched in versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4 [1][2][3][4]. Users should upgrade to one of these fixed versions immediately. No workaround is available. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.