CVE-2025-59789: Remote Crash Possible! Uncontrolled Recursion in Apache bRPC json2pb

by

Overview

CVE-2025-59789 describes an uncontrolled recursion vulnerability in the json2pb component of Apache bRPC versions prior to 1.15.0. This flaw allows remote attackers to potentially crash a server by sending deeply nested JSON data. Exploiting this vulnerability can lead to a denial-of-service (DoS) condition.

Technical Details

The root cause lies in the way the json2pb component utilizes the rapidjson library to parse incoming JSON data. rapidjson, by default, employs a recursive parsing method. If an attacker crafts a JSON payload with an excessively deep recursive structure, the parsing function can exhaust the server’s stack memory, resulting in a stack overflow and subsequent crash.

Affected scenarios include:

  • Use of a bRPC server with protobuf messages handling HTTP+JSON requests from untrusted networks.
  • Direct use of JsonToProtoMessage to convert JSON from untrusted input sources.

CVSS Analysis

As of the publication of this article, a CVSS score has not been assigned for CVE-2025-59789. However, the potential for a denial-of-service attack indicates that it should be considered a serious vulnerability requiring immediate attention.

Possible Impact

A successful exploit of CVE-2025-59789 can lead to:

  • Denial of Service (DoS): The target server becomes unavailable, disrupting services for legitimate users.
  • System Instability: Repeated crashes can lead to broader system instability and potentially other unforeseen consequences.

Mitigation Steps

There are two recommended methods to address this vulnerability:

  1. Upgrade bRPC: The most straightforward solution is to upgrade to bRPC version 1.15.0 or later. This version includes a fix for the uncontrolled recursion issue.
  2. Apply the Patch: If upgrading is not immediately feasible, you can apply the patch available on GitHub: https://github.com/apache/brpc/pull/3099

Important Note: Both the upgrade and the patch introduce a recursion depth limit with a default value of 100. This limit affects the following functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain JSON or Protobuf messages with a depth exceeding this limit, requests will fail. You can adjust the recursion depth by modifying the json2pb_max_recursion_depth gflag. Carefully assess your application’s requirements before increasing this limit, as it may increase the risk of a denial-of-service attack if set too high.

References

Apache Announcement List
Openwall oss-security Mailing List
bRPC Patch on GitHub

Published: 2025-12-01T11:15:48.377

Leave a Comment