Critical Apache bRPC Framework Vulnerability Let Attackers Crash the Server

Critical Apache bRPC Framework Vulnerability Let Attackers Crash the Server

Posted on By CWS

A crucial safety vulnerability has been found within the Apache bRPC framework that would enable distant attackers to crash servers by sending specifically crafted JSON information.

The flaw, tracked as CVE-2025-59789, impacts all variations of Apache bRPC earlier than 1.15.0 throughout all platforms.

The vulnerability exists within the json2pb element of Apache bRPC, which converts JSON information to Protocol Buffer messages.

The element depends on rapidjson for parsing JSON information obtained from the community. By default, the rapidjson parser makes use of a recursive parsing methodology.

When attackers ship JSON information with deeply nested recursive constructions, the parser operate exhausts the stack reminiscence, leading to a stack overflow.

FieldDetailsCVE IDCVE-2025-59789CVSS Score9.8 (Essential)Assault VectorNetworkAffected VersionsApache bRPC < 1.15.0Vulnerability TypeUncontrolled Recursion / Stack Overflow

This causes the server to crash, resulting in a denial-of-service situation. Organizations utilizing bRPC servers are in danger in the event that they meet any of the next situations.

Working a bRPC server with protobuf messages that handles HTTP+JSON requests from untrusted networks.

Utilizing the JsonToProtoMessage operate to transform JSON from untrusted enter sources, Apache has supplied two choices to deal with this safety concern:

Improve to Apache bRPC model 1.15.0, which incorporates the entire repair for this vulnerability. Apply the official patch accessible on GitHub for these unable to improve instantly.

Each fixes introduce a brand new recursion depth restrict with a default worth of 100. This variation impacts 4 key capabilities: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.

Organizations ought to notice that requests containing JSON or protobuf messages exceeding this depth restrict will fail after the repair is utilized.

Directors can modify the restrict by modifying the json2pb_max_recursion_depth gflag on meet their particular necessities.

Safety groups are strongly suggested to evaluate their environments and apply the mandatory patches instantly to forestall potential denial-of-service assaults.

Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , ,

Related Posts

WatchGuard 0-day Vulnerability Exploited in the Wild to Hijack Firewalls WatchGuard 0-day Vulnerability Exploited in the Wild to Hijack Firewalls Cyber Security News
AI-Powered Zero-Day Exploits Raise Cybersecurity Concerns AI-Powered Zero-Day Exploits Raise Cybersecurity Concerns Cyber Security News
A Free Zero Trust Web Application Firewall for 2026 A Free Zero Trust Web Application Firewall for 2026 Cyber Security News
Microsoft Entra Credentials in the Authenticator App on Jail-Broken Devices to be Wiped Out Microsoft Entra Credentials in the Authenticator App on Jail-Broken Devices to be Wiped Out Cyber Security News
Microsoft Fixes Vulnerability in Entra Agent ID Administration Microsoft Fixes Vulnerability in Entra Agent ID Administration Cyber Security News
Hackers Exploit ClickFix to Deploy Remote Access Tools Hackers Exploit ClickFix to Deploy Remote Access Tools Cyber Security News