A critical security vulnerability has been discovered in the Apache bRPC framework that could allow remote attackers to crash servers by sending specially crafted JSON data.
The flaw, tracked as CVE-2025-59789, affects all versions of Apache bRPC before 1.15.0 across all platforms.
The vulnerability exists in the json2pb component of Apache bRPC, which converts JSON data to Protocol Buffer messages.
The component relies on rapidjson for parsing JSON data received from the network. By default, the rapidjson parser uses a recursive parsing method.
When attackers send JSON data with deeply nested recursive structures, the parser function exhausts the stack memory, resulting in a stack overflow.
FieldDetailsCVE IDCVE-2025-59789CVSS Score9.8 (Critical)Attack VectorNetworkAffected VersionsApache bRPC < 1.15.0Vulnerability TypeUncontrolled Recursion / Stack Overflow
This causes the server to crash, leading to a denial-of-service condition. Organizations using bRPC servers are at risk if they meet any of the following conditions.
Running a bRPC server with protobuf messages that handles HTTP+JSON requests from untrusted networks.
Using the JsonToProtoMessage function to convert JSON from untrusted input sources, Apache has provided two options to address this security issue:
Upgrade to Apache bRPC version 1.15.0, which includes the complete fix for this vulnerability. Apply the official patch available on GitHub for those unable to upgrade immediately.
Both fixes introduce a new recursion depth limit with a default value of 100. This change affects four key functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.
Organizations should note that requests containing JSON or protobuf messages exceeding this depth limit will fail after the fix is applied.
Administrators can adjust the limit by modifying the json2pb_max_recursion_depth gflag on meet their specific requirements.
Security teams are strongly advised to assess their environments and apply the necessary patches immediately to prevent potential denial-of-service attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Apache bRPC Framework Vulnerability Let Attackers Crash the Server appeared first on Cyber Security News.
