CVE-2025-59789: Critical Flaw in Apache bRPC Framework Exposes High-Performance Systems to Crash Risks

A critical vulnerability has been unearthed in Apache bRPC, an industrial-grade RPC framework widely used to power high-performance systems in search, storage, and machine learning. The flaw, tracked as CVE-2025-59789, allows remote attackers to crash servers by exploiting a weakness in how the framework parses JSON data.

The vulnerability centers on a stack exhaustion issue caused by unbounded recursion. According to the security advisory, the flaw resides in the json2pb component, where “uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.”

The root of the problem lies in the underlying parsing logic. The advisory explains that “the bRPC json2pb component uses rapidjson to parse json data from the network,” and that “the rapidjson parser uses a recursive parsing method by default.”

When an attacker sends a JSON payload with an excessively deep recursive structure, the parser consumes all available stack memory, forcing the application to crash. “If the input json has a large depth of recursive structure, the parser function may run into stack overflow.”

Organizations using bRPC to handle external traffic are particularly vulnerable. The report specifies the dangerous scenarios as those that “use bRPC server with protobuf message to serve http+json requests from untrusted network,” or those that “directly use JsonToProtoMessage to convert json from untrusted input.”

Given bRPC’s popularity in “high performance system such as Search, Storage, Machine learning, Advertisement, Recommendation etc.,” the potential impact on service availability for major tech infrastructure is significant.

The maintainers have released a fix that introduces a safety cap on how deep the data parsing can go. To mitigate this threat, administrators are advised to “upgrade bRPC to version 1.15.0, which fixes this issue”.

However, this fix comes with a functional change that developers must be aware of. “The fix introduces a recursion depth limit with default value 100”. This means legitimate requests with deeply nested structures might now be rejected. If this default limit disrupts valid operations, the advisory notes that “you can modify the gflag json2pb_max_recursion_depth to change the limit.”

Related Posts:

• Apache bRPC Flaw (CVE-2025-54472) Allows Remote Denial-of-Service Attack
• CVE-2023-31039: Apache bRPC Remote Code Execution Vulnerability
• CVE-2024-23452: Apache bRPC HTTP Request Smuggling Vulnerability