Critical Flaw in Apache bRPC Framework (CVE-2025-59789)

CVE-2025-59789, a security vulnerability that has been discovered in the Apache bRPC framework, with a maximum assigned CVSS score of 9.8 (Critical). This network-based flaw could permit a remote attacker to induce a denial-of-service (DoS) attack.

Technical Analysis

The vulnerability is rooted in the json2pb component, which converts JSON data into Protocol Buffer messages. This component relies on the rapidjson parser, which utilizes a recursive parsing method by default.

The flaw is classified as Uncontrolled Recursion / Stack Overflow. An attacker can submit their own JSON data containing a deeply nested recursive structure. When the rapidjson parser attempts to process this input, the recursive function calls rapidly exhaust the available stack space, leading to a stack overflow. This results in an immediate crash of the bRPC server, which would lead to a DoS.

Risk Assessment

The vulnerability affects all versions of Apache bRPC before 1.15.0. Organizations that use this framework face a critical risk if their deployments meet the following criteria:

• Running a bRPC server configured to handle HTTP+JSON requests that originate from untrusted external networks.
• Employing the JsonToProtoMessage function to convert JSON data derived from any unvalidated or untrusted input source.

Required Action

Apache has provided definitive steps to remediate this vulnerability. Security teams are strongly advised to apply one of the following countermeasures immediately:

1. Upgrade: Update the Apache bRPC framework to version 1.15.0 or higher, which includes the security fix.
2. Patch: In any environment unable to execute a full version upgrade, apply the official patch made available on the Apache GitHub repository.

Both mitigation options introduce a recursion depth limit to the parsing process, with a default value of 100. This boundary is applied to key conversion functions, including JsonToProtoMessage. Any incoming JSON or Protocol Buffer messages that exceed this depth limit will be rejected, which would prevent the stack exhaustion condition. Administrators requiring a greater recursion depth for specific operational requirements may have to manually adjust this parameter via the json2pb_max_recursion_depth gflag.