@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash

Vulnerability

An invalid incoming compressed message can cause a client or server process to crash when processed by the @grpc/grpc-js library. All versions prior to the fixes listed below are affected. The vulnerability is present in the message decompression handling code and is triggered upon receipt of a specially crafted compressed message.

Exploitation

An attacker does not require any special credentials — they only need to be able to send network messages to a gRPC endpoint that uses an affected version of @grpc/grpc-js. Sending an invalid compressed message that triggers a crash during decompression is sufficient to cause a denial-of-service condition.

Impact

Successful exploitation results in a denial of service — the victim client or server process crashes. No code execution or data exfiltration is described in available references. The impact is limited to availability (CIA: A). The crash affects the entire process, making the gRPC service temporarily unavailable until restarted.

Mitigation

No workaround is available [1][2][3][4]. The vulnerability is fixed in @grpc/grpc-js versions 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4. Users should update to the nearest fixed version for their release track.