@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash
An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js
Advisories for Npm/@Grpc/Grpc-Js package
2026
@grpc/grpc-js: A malformed request can cause a server crash
An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.
2024
@grpc/grpc-js can allocate memory for incoming messages well above configured limits
There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message …
2021
Improperly Controlled Modification of Dynamically-Determined Object Attributes
The package grpc ; the package @grpc/grpc-js are vulnerable to Prototype Pollution via loadPackageDefinition.