The flaw, tracked as CVE-2025-59789, affects all versions of Apache bRPC before 1.15.0 across all platforms.
The vulnerability exists in the json2pb component of Apache bRPC, which converts JSON data to Protocol Buffer messages.
The component relies on rapidjson for parsing JSON data received from the network. By default, the rapidjson parser uses a recursive parsing method.
When attackers send JSON data with deeply nested recursive structures, the parser function exhausts the stack memory, resulting in a stack overflow.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-59789 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Affected Versions | Apache bRPC < 1.15.0 |
| Vulnerability Type | Uncontrolled Recursion / Stack Overflow |
This causes the server to crash, leading to a denial-of-service condition. Organizations using bRPC servers are at risk if they meet any of the following conditions.
Running a bRPC server with protobuf messages that handles HTTP+JSON requests from untrusted networks.
Using the JsonToProtoMessage function to convert JSON from untrusted input sources, Apache has provided two options to address this security issue:
Upgrade to Apache bRPC version 1.15.0, which includes the complete fix for this vulnerability. Apply the official patch available on GitHub for those unable to upgrade immediately.
Both fixes introduce a new recursion depth limit with a default value of 100. This change affects four key functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.
Organizations should note that requests containing JSON or protobuf messages exceeding this depth limit will fail after the fix is applied.
Administrators can adjust the limit by modifying the json2pb_max_recursion_depth gflag on meet their specific requirements.
Security teams are strongly advised to assess their environments and apply the necessary patches immediately to prevent potential denial-of-service attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Apache bRPC Framework Vulnerability Let Attackers Crash the Server appeared first on Cyber Security News.
If you're having issues shopping on Amazon or loading your playlists on Amazon Music, you're…
United Airlines has updated its "Contract of Carriage" to include a line that requires passengers…
The next-generation Xbox console will play both Xbox and PC games, and its codename is…
No matter how much time goes by, the gory, loot-filled embrace of Diablo 4 is…
New Microsoft Gaming CEO Asha Sharma, who took over as the head of the Xbox…
Pokémon TCG is still red hot as we cross into the official 30th anniversary celebrations…
This website uses cookies.