Tyler Zars

**Name of the Vulnerable Software and Affected Versions** Apache bRPC versions prior to 1.15.0 **Description** An issue exists in the json2pb component of Apache bRPC that can lead to a server crash. This occurs when processing deeply recursive JSON data received from a remote attacker. The root cause is the use of a recursive parsing method within the rapidjson parser, which can result in a stack overflow when handling complex JSON structures. The issue affects systems using bRPC servers serving http+json requests from untrusted networks, or those directly using `JsonToProtoMessage` to convert JSON from untrusted sources. The fix introduces a recursion depth limit of 100 by default, impacting the functions `ProtoMessageToJson`, `ProtoMessageToProtoJson`, `JsonToProtoMessage`, and `ProtoJsonToProtoMessage`. Requests exceeding this limit will fail after applying the fix, but the limit can be adjusted using the `json2pb max recursion depth` gflag. **Recommendations** Upgrade bRPC to version 1.15.0 to resolve this issue. Alternatively, apply the patch available at https://github.com/apache/brpc/pull/3099.

Name of the Vulnerable Software and Affected Versions: Apache bRPC versions prior to 1.14.1 Description: A flaw in the Redis parser within Apache bRPC allows unauthenticated remote attackers to crash services by triggering unlimited memory allocation. This issue affects the service via network communication. Approximately 103 potentially affected devices have been identified. Recommendations: Update to version 1.14.1.