Refine your search
4 vulnerabilities found for Apache bRPC by Apache Software Foundation
CVE-2025-59789 (GCVE-0-2025-59789)
Vulnerability from nvd
Published
2025-12-01 10:22
Modified
2025-12-01 15:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-674 - Uncontrolled Recursion
Summary
Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.
Root Cause:
The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.
Affected Scenarios:
Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input.
How to Fix:
(Choose one of the following options)
1. Upgrade bRPC to version 1.15.0, which fixes this issue.
2. Apply this patch: https://github.com/apache/brpc/pull/3099
Note:
No matter which option
you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:
ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.
If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache bRPC |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-01T11:05:54.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/01/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T15:04:16.305638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T15:05:18.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache bRPC",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tyler Zars"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled recursion in the json2pb component in Apache bRPC (version \u0026lt; 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.\u003cbr\u003e\u003cbr\u003eRoot Cause:\u003cbr\u003eThe bRPC\u0026nbsp;json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.\u003cbr\u003e\u003cbr\u003eAffected Scenarios:\u003cbr\u003eUse bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use\u0026nbsp;JsonToProtoMessage to convert json from\u0026nbsp;untrusted input.\n\n\u003cbr\u003e\u003cbr\u003eHow to Fix: \u003cbr\u003e(\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eChoose one of the following options)\u0026nbsp;\u003c/span\u003e\u003cbr\u003e1. Upgrade bRPC to version 1.15.0, which fixes this issue.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e2. Apply this patch: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/brpc/pull/3099\"\u003ehttps://github.com/apache/brpc/pull/3099\u003c/a\u003e\n\n\u003cbr\u003e\u003cbr\u003eNote:\u003cbr\u003eNo matter which option \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eyou choose\u003c/span\u003e, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.\u003c/span\u003e\n\n If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit."
}
],
"value": "Uncontrolled recursion in the json2pb component in Apache bRPC (version \u003c 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.\n\nRoot Cause:\nThe bRPC\u00a0json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.\n\nAffected Scenarios:\nUse bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use\u00a0JsonToProtoMessage to convert json from\u00a0untrusted input.\n\n\n\nHow to Fix: \n(Choose one of the following options)\u00a0\n1. Upgrade bRPC to version 1.15.0, which fixes this issue.\n2. Apply this patch: https://github.com/apache/brpc/pull/3099 \n\n\n\nNote:\nNo matter which option \n\nyou choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:\u00a0\n\nProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.\n\n If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T10:22:41.697Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59789",
"datePublished": "2025-12-01T10:22:41.697Z",
"dateReserved": "2025-09-20T06:17:58.940Z",
"dateUpdated": "2025-12-01T15:05:18.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54472 (GCVE-0-2025-54472)
Vulnerability from nvd
Published
2025-08-14 09:05
Modified
2025-11-04 21:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network.
Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it.
The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0.
Affected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.
How to Fix: we provide two methods, you can choose one of them:
1. Upgrade bRPC to version 1.14.1.
2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually.
No matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache bRPC |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:37:18.746439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:49:23.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:49.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/12/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache bRPC",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.14.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tyler Zars"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions \u0026lt; 1.14.1) on all platforms allows attackers to crash the service via network.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRoot Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it.\u003cbr\u003e\u003c/span\u003eThe bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the\u0026nbsp;1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version \u0026lt; 1.14.0.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAffected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.\u003c/span\u003e\n\n\u003cbr\u003e\u003cbr\u003eHow to Fix: we provide two methods, you can choose one of them:\u003cbr\u003e\u003cbr\u003e1. Upgrade bRPC to version 1.14.1.\u003cbr\u003e2. Apply this patch (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/brpc/pull/3050\"\u003ehttps://github.com/apache/brpc/pull/3050\u003c/a\u003e) manually.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eredis_max_allocation_size to set a larger limit.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions \u003c 1.14.1) on all platforms allows attackers to crash the service via network.\n\n\n\nRoot Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it.\nThe bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the\u00a01.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version \u003c 1.14.0.\n\n\n\nAffected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.\n\n\n\nHow to Fix: we provide two methods, you can choose one of them:\n\n1. Upgrade bRPC to version 1.14.1.\n2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually.\n\nNo matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag\u00a0redis_max_allocation_size to set a larger limit."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T09:05:38.944Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/r3xsy3wvs4kmfhc281173k5b6ll1xt2m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache bRPC: Redis Parser Remote Denial of Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54472",
"datePublished": "2025-08-14T09:05:38.944Z",
"dateReserved": "2025-07-23T09:19:43.081Z",
"dateUpdated": "2025-11-04T21:12:49.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59789 (GCVE-0-2025-59789)
Vulnerability from cvelistv5
Published
2025-12-01 10:22
Modified
2025-12-01 15:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-674 - Uncontrolled Recursion
Summary
Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.
Root Cause:
The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.
Affected Scenarios:
Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input.
How to Fix:
(Choose one of the following options)
1. Upgrade bRPC to version 1.15.0, which fixes this issue.
2. Apply this patch: https://github.com/apache/brpc/pull/3099
Note:
No matter which option
you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:
ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.
If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache bRPC |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-01T11:05:54.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/01/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T15:04:16.305638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T15:05:18.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache bRPC",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tyler Zars"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled recursion in the json2pb component in Apache bRPC (version \u0026lt; 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.\u003cbr\u003e\u003cbr\u003eRoot Cause:\u003cbr\u003eThe bRPC\u0026nbsp;json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.\u003cbr\u003e\u003cbr\u003eAffected Scenarios:\u003cbr\u003eUse bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use\u0026nbsp;JsonToProtoMessage to convert json from\u0026nbsp;untrusted input.\n\n\u003cbr\u003e\u003cbr\u003eHow to Fix: \u003cbr\u003e(\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eChoose one of the following options)\u0026nbsp;\u003c/span\u003e\u003cbr\u003e1. Upgrade bRPC to version 1.15.0, which fixes this issue.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e2. Apply this patch: \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/brpc/pull/3099\"\u003ehttps://github.com/apache/brpc/pull/3099\u003c/a\u003e\n\n\u003cbr\u003e\u003cbr\u003eNote:\u003cbr\u003eNo matter which option \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eyou choose\u003c/span\u003e, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.\u003c/span\u003e\n\n If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit."
}
],
"value": "Uncontrolled recursion in the json2pb component in Apache bRPC (version \u003c 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.\n\nRoot Cause:\nThe bRPC\u00a0json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.\n\nAffected Scenarios:\nUse bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use\u00a0JsonToProtoMessage to convert json from\u00a0untrusted input.\n\n\n\nHow to Fix: \n(Choose one of the following options)\u00a0\n1. Upgrade bRPC to version 1.15.0, which fixes this issue.\n2. Apply this patch: https://github.com/apache/brpc/pull/3099 \n\n\n\nNote:\nNo matter which option \n\nyou choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:\u00a0\n\nProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.\n\n If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T10:22:41.697Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59789",
"datePublished": "2025-12-01T10:22:41.697Z",
"dateReserved": "2025-09-20T06:17:58.940Z",
"dateUpdated": "2025-12-01T15:05:18.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54472 (GCVE-0-2025-54472)
Vulnerability from cvelistv5
Published
2025-08-14 09:05
Modified
2025-11-04 21:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network.
Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it.
The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0.
Affected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.
How to Fix: we provide two methods, you can choose one of them:
1. Upgrade bRPC to version 1.14.1.
2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually.
No matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache bRPC |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:37:18.746439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:49:23.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:49.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/12/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache bRPC",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.14.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tyler Zars"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions \u0026lt; 1.14.1) on all platforms allows attackers to crash the service via network.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRoot Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it.\u003cbr\u003e\u003c/span\u003eThe bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the\u0026nbsp;1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version \u0026lt; 1.14.0.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAffected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.\u003c/span\u003e\n\n\u003cbr\u003e\u003cbr\u003eHow to Fix: we provide two methods, you can choose one of them:\u003cbr\u003e\u003cbr\u003e1. Upgrade bRPC to version 1.14.1.\u003cbr\u003e2. Apply this patch (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/brpc/pull/3050\"\u003ehttps://github.com/apache/brpc/pull/3050\u003c/a\u003e) manually.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eredis_max_allocation_size to set a larger limit.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions \u003c 1.14.1) on all platforms allows attackers to crash the service via network.\n\n\n\nRoot Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it.\nThe bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the\u00a01.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version \u003c 1.14.0.\n\n\n\nAffected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.\n\n\n\nHow to Fix: we provide two methods, you can choose one of them:\n\n1. Upgrade bRPC to version 1.14.1.\n2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually.\n\nNo matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag\u00a0redis_max_allocation_size to set a larger limit."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T09:05:38.944Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/r3xsy3wvs4kmfhc281173k5b6ll1xt2m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache bRPC: Redis Parser Remote Denial of Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54472",
"datePublished": "2025-08-14T09:05:38.944Z",
"dateReserved": "2025-07-23T09:19:43.081Z",
"dateUpdated": "2025-11-04T21:12:49.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}