A crucial safety vulnerability has been found within the Apache bRPC framework that would enable distant attackers to crash servers by sending specifically crafted JSON information.
The flaw, tracked as CVE-2025-59789, impacts all variations of Apache bRPC earlier than 1.15.0 throughout all platforms.
The vulnerability exists within the json2pb element of Apache bRPC, which converts JSON information to Protocol Buffer messages.
The element depends on rapidjson for parsing JSON information obtained from the community. By default, the rapidjson parser makes use of a recursive parsing methodology.
When attackers ship JSON information with deeply nested recursive constructions, the parser operate exhausts the stack reminiscence, leading to a stack overflow.
FieldDetailsCVE IDCVE-2025-59789CVSS Score9.8 (Essential)Assault VectorNetworkAffected VersionsApache bRPC < 1.15.0Vulnerability TypeUncontrolled Recursion / Stack Overflow
This causes the server to crash, resulting in a denial-of-service situation. Organizations utilizing bRPC servers are in danger in the event that they meet any of the next situations.
Working a bRPC server with protobuf messages that handles HTTP+JSON requests from untrusted networks.
Utilizing the JsonToProtoMessage operate to transform JSON from untrusted enter sources, Apache has supplied two choices to deal with this safety concern:
Improve to Apache bRPC model 1.15.0, which incorporates the entire repair for this vulnerability. Apply the official patch accessible on GitHub for these unable to improve instantly.
Each fixes introduce a brand new recursion depth restrict with a default worth of 100. This variation impacts 4 key capabilities: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.
Organizations ought to notice that requests containing JSON or protobuf messages exceeding this depth restrict will fail after the repair is utilized.
Directors can modify the restrict by modifying the json2pb_max_recursion_depth gflag on meet their particular necessities.
Safety groups are strongly suggested to evaluate their environments and apply the mandatory patches instantly to forestall potential denial-of-service assaults.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
