Critical Vulnerability in Apache bRPC Framework Allows Remote Server Crashes
A critical security vulnerability has been identified in the Apache bRPC framework, potentially enabling remote attackers to crash servers by sending specially crafted JSON data. This flaw, designated as CVE-2025-59789, affects all versions of Apache bRPC prior to 1.15.0 across all platforms.
Understanding the Vulnerability
The issue resides within the `json2pb` component of Apache bRPC, responsible for converting JSON data into Protocol Buffer messages. This component utilizes the `rapidjson` library for parsing JSON data received over the network. By default, `rapidjson` employs a recursive parsing method. Attackers can exploit this by sending JSON data with deeply nested recursive structures, leading to stack memory exhaustion and resulting in a stack overflow. This overflow causes the server to crash, creating a denial-of-service (DoS) condition.
Risk Assessment
Organizations using bRPC servers are particularly at risk if they meet any of the following conditions:
– Operating a bRPC server with Protocol Buffer messages that handle HTTP+JSON requests from untrusted networks.
– Utilizing the `JsonToProtoMessage` function to convert JSON from untrusted input sources.
Technical Details
– CVE ID: CVE-2025-59789
– CVSS Score: 9.8 (Critical)
– Attack Vector: Network
– Affected Versions: Apache bRPC versions prior to 1.15.0
– Vulnerability Type: Uncontrolled Recursion / Stack Overflow
Mitigation Strategies
To address this critical vulnerability, Apache has provided two primary solutions:
1. Upgrade to Apache bRPC Version 1.15.0: This version includes a comprehensive fix for the vulnerability.
2. Apply the Official Patch: For those unable to upgrade immediately, an official patch is available on GitHub.
Both solutions introduce a new recursion depth limit, set by default to 100. This change affects four key functions: `ProtoMessageToJson`, `ProtoMessageToProtoJson`, `JsonToProtoMessage`, and `ProtoJsonToProtoMessage`. Organizations should be aware that requests containing JSON or Protocol Buffer messages exceeding this depth limit will fail after applying the fix. Administrators can adjust this limit by modifying the `json2pb_max_recursion_depth` gflag to meet specific requirements.
Immediate Actions Recommended
Security teams are strongly advised to assess their environments and implement the necessary patches without delay to prevent potential denial-of-service attacks. Ensuring that all bRPC servers are updated to version 1.15.0 or have the official patch applied is crucial in mitigating this vulnerability.
