CVE-2025-59789

Name of the Vulnerable Software and Affected Versions Apache bRPC versions prior to 1.15.0

Description An issue exists in the json2pb component of Apache bRPC that can lead to a server crash. This occurs when processing deeply recursive JSON data received from a remote attacker. The root cause is the use of a recursive parsing method within the rapidjson parser, which can result in a stack overflow when handling complex JSON structures. The issue affects systems using bRPC servers serving http+json requests from untrusted networks, or those directly using JsonToProtoMessage to convert JSON from untrusted sources. The fix introduces a recursion depth limit of 100 by default, impacting the functions ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. Requests exceeding this limit will fail after applying the fix, but the limit can be adjusted using the json2pb max recursion depth gflag.

Recommendations Upgrade bRPC to version 1.15.0 to resolve this issue. Alternatively, apply the patch available at https://github.com/apache/brpc/pull/3099.