CVE-2025-59789

Published Dec 1, 2025

Last updated 3 months ago

CVSS high 7.5

Overview

Description
Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options)  1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:  ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.
Source
security@apache.org
NVD status
Analyzed
Products
brpc

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

security@apache.org
CWE-674

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #ApachebRPC CVE-2025-59789: Critical Flaw in Apache bRPC Framework Exposes High-Performance Systems to Crash Risks https://t.co/fUz18knRAx

    @Komodosec

    4 Jan 2026

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser https://t.co/XLPlzoBFOw Severity: critical allows remote attackers to make the server crash via sending deep recursive json data

    @oss_security

    4 Dec 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Apache bRPCに深刻なJSONパース 脆弱性(CVE-2025-59789) https://t.co/6AQxNwNpGV #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    3 Dec 2025

    109 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Apache bRPC vuln CVE-2025-59789 lets attackers crash servers on all versions before 1.15.0. If it's exposed to untrusted clients, patch time. #vulnerability https://t.co/JkKVsoMZSi

    @threatcluster

    1 Dec 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-59789 Uncontrolled recursion in the json2pb component in Apache bRPC (version &lt; 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep r… https://t.co/wtarEW2W5F

    @CVEnew

    1 Dec 2025

    256 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. Apache bRPCに深刻な欠陥が見つかり、細工した深い再帰構造のJSONを送るだけでサーバーを強制クラッシュさせられる危険が判明した(CVE-2025-59789)。高性能基盤で広く使われるだけに影響は大きい。

    @yousukezan

    1 Dec 2025

    2132 Impressions

    5 Retweets

    16 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-59789 CVE-2025-59789 https://t.co/sj6ye1u7SN

    @VulmonFeeds

    1 Dec 2025

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🗣️ CVE-2025-59789: Critical Flaw in Apache bRPC Framework Exposes High-Performance Systems to Crash Risks https://t.co/s8b9JxbBX7

    @fridaysecurity

    1 Dec 2025

    40 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. A critical vulnerability in Apache bRPC (CVE-2025-59789) allows attackers to crash servers using deep JSON data. Upgrade to version 1.15.0 now to fix it. #CyberSecurity #Apache #bRPC #InfoSec #TechNews #CVE https://t.co/AqCuVdnagg

    @the_yellow_fall

    1 Dec 2025

    227 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.CVE-2025-60021
  2. Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it. The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0. Affected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.14.1. 2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually. No matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit.CVE-2025-54472
  3. Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request. Vulnerability Cause Description: The http_parser does not comply with the RFC-7230 HTTP 1.1 specification. Attack scenario: If a message is received with both a Transfer-Encoding and a Content-Length header field, such a message might indicate an attempt to perform request smuggling or response splitting. One particular attack scenario is that a bRPC made http server on the backend receiving requests in one persistent connection from frontend server that uses TE to parse request with the logic that 'chunk' is contained in the TE field. in that case an attacker can smuggle a request into the connection to the backend server.  Solution: You can choose one solution from below: 1. Upgrade bRPC to version 1.8.0, which fixes this issue. Download link: https://github.com/apache/brpc/releases/tag/1.8.0 2. Apply this patch:  https://github.com/apache/brpc/pull/2518CVE-2024-23452

References

Sources include official advisories and independent security research.