AI description
CVE-2025-59689 is a command injection vulnerability affecting Libraesva Email Security Gateway (ESG) appliances. It stems from improper sanitization during the removal of active code from files within certain compressed archive formats. An attacker can exploit this vulnerability by sending a specially crafted email with a compressed attachment to a vulnerable Libraesva ESG appliance. When the appliance processes the attachment, malicious commands embedded within the compressed file are executed, allowing the attacker to run arbitrary shell commands as a non-privileged user.
- Description
- Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options) 1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- brpc
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- security@apache.org
- CWE-674
- Hype score
- Not currently trending
CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser https://t.co/XLPlzoBFOw Severity: critical allows remote attackers to make the server crash via sending deep recursive json data
@oss_security
4 Dec 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache bRPCに深刻なJSONパース 脆弱性(CVE-2025-59789) https://t.co/6AQxNwNpGV #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
3 Dec 2025
109 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache bRPC vuln CVE-2025-59789 lets attackers crash servers on all versions before 1.15.0. If it's exposed to untrusted clients, patch time. #vulnerability https://t.co/JkKVsoMZSi
@threatcluster
1 Dec 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59789 Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep r… https://t.co/wtarEW2W5F
@CVEnew
1 Dec 2025
256 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Apache bRPCに深刻な欠陥が見つかり、細工した深い再帰構造のJSONを送るだけでサーバーを強制クラッシュさせられる危険が判明した(CVE-2025-59789)。高性能基盤で広く使われるだけに影響は大きい。
@yousukezan
1 Dec 2025
2132 Impressions
5 Retweets
16 Likes
7 Bookmarks
0 Replies
0 Quotes
CVE-2025-59789 CVE-2025-59789 https://t.co/sj6ye1u7SN
@VulmonFeeds
1 Dec 2025
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🗣️ CVE-2025-59789: Critical Flaw in Apache bRPC Framework Exposes High-Performance Systems to Crash Risks https://t.co/s8b9JxbBX7
@fridaysecurity
1 Dec 2025
40 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A critical vulnerability in Apache bRPC (CVE-2025-59789) allows attackers to crash servers using deep JSON data. Upgrade to version 1.15.0 now to fix it. #CyberSecurity #Apache #bRPC #InfoSec #TechNews #CVE https://t.co/AqCuVdnagg
@the_yellow_fall
1 Dec 2025
227 Impressions
2 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:brpc:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8FC82429-4B83-4132-A67A-146ABA8A0F27",
"versionEndExcluding": "1.15.0"
}
],
"operator": "OR"
}
]
}
]