Apache bRPC Flaw (CVE-2025-54472) Allows Remote Denial-of-Service Attack

The Apache bRPC project has issued an important security advisory addressing a critical flaw in its Redis protocol parser that could allow attackers to crash affected services remotely. The vulnerability, tracked as CVE-2025-54472, impacts all versions prior to 1.14.1, including the partially patched 1.14.0 release.

Apache bRPC is an Industrial-grade RPC framework using C++ Language, which is often used in high performance system such as Search, Storage, Machine learning, Advertisement, Recommendation etc.

The root cause lies in how the bRPC Redis parser allocates memory for arrays and strings based on integer values read from incoming network data. As the advisory explains:

“If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing.”

Attackers can exploit this by sending specially crafted Redis protocol data packets, triggering unlimited memory allocation and causing the application to run out of memory, resulting in a Denial-of-Service (DoS) condition.

The bRPC team attempted to fix this in version 1.14.0 by limiting memory allocation size. However, as the advisory notes:

“The limitation checking code is not well implemented… [it] may cause integer overflow and evade such limitation.”

This means version 1.14.0 remained vulnerable, albeit under slightly different conditions compared to earlier versions.

Two primary use cases are at risk:

• bRPC as a Redis Server – providing network services to untrusted clients.
• bRPC as a Redis Client – interacting with untrusted Redis services.

In both scenarios, malicious actors could exploit the flaw to disrupt system availability.

The Apache bRPC project recommends two approaches:

1. Upgrade to bRPC version 1.14.1 (the official fix).
2. Apply the official patch from GitHub Pull Request #3050 manually.

The patch introduces a default maximum allocation size of 64 MB for Redis parser operations. The advisory warns:

“If some of your Redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit.”

Related Posts:

• Apache bRPC Remote Code Execution Vulnerability
• PyPI Rejects Malicious ZIP Archives to Block “Parser Confusion” Attacks
• Apache bRPC HTTP Request Smuggling Vulnerability
• Apache bRPC XSS Vulnerability

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy