The flaw, tracked as CVE-2025-59789, affects all versions of Apache bRPC before 1.15.0 across all platforms.
The vulnerability exists in the json2pb component of Apache bRPC, which converts JSON data to Protocol Buffer messages.
The component relies on rapidjson for parsing JSON data received from the network. By default, the rapidjson parser uses a recursive parsing method.
When attackers send JSON data with deeply nested recursive structures, the parser function exhausts the stack memory, resulting in a stack overflow.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-59789 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Affected Versions | Apache bRPC < 1.15.0 |
| Vulnerability Type | Uncontrolled Recursion / Stack Overflow |
This causes the server to crash, leading to a denial-of-service condition. Organizations using bRPC servers are at risk if they meet any of the following conditions.
Running a bRPC server with protobuf messages that handles HTTP+JSON requests from untrusted networks.
Using the JsonToProtoMessage function to convert JSON from untrusted input sources, Apache has provided two options to address this security issue:
Upgrade to Apache bRPC version 1.15.0, which includes the complete fix for this vulnerability. Apply the official patch available on GitHub for those unable to upgrade immediately.
Both fixes introduce a new recursion depth limit with a default value of 100. This change affects four key functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.
Organizations should note that requests containing JSON or protobuf messages exceeding this depth limit will fail after the fix is applied.
Administrators can adjust the limit by modifying the json2pb_max_recursion_depth gflag on meet their specific requirements.
Security teams are strongly advised to assess their environments and apply the necessary patches immediately to prevent potential denial-of-service attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Apache bRPC Framework Vulnerability Let Attackers Crash the Server appeared first on Cyber Security News.
The massive Collector’s Edition of Frieren Season 1 Part 2 just got a massive discount…
The massive Collector’s Edition of Frieren Season 1 Part 2 just got a massive discount…
President Donald Trump gives a speech at the World Economic Forum on Jan. 21, 2026…
Peacock's streaming lineup for May features a new original series as well as the streaming…
A handful of major Hollywood studios are going to war over the rights for the…
A farmer harvests corn beside Highway 163 in Iowa. (Photo by Cami Koons/Iowa Capital Dispatch)The…
This website uses cookies.