A critical security vulnerability has been discovered in the Apache bRPC framework that could allow remote attackers to crash servers by sending specially crafted JSON data.
The flaw, tracked as CVE-2025-59789, affects all versions of Apache bRPC before 1.15.0 across all platforms.
The vulnerability exists in the json2pb component of Apache bRPC, which converts JSON data to Protocol Buffer messages.
The component relies on rapidjson for parsing JSON data received from the network. By default, the rapidjson parser uses a recursive parsing method.
When attackers send JSON data with deeply nested recursive structures, the parser function exhausts the stack memory, resulting in a stack overflow.
Field Details CVE ID CVE-2025-59789 CVSS Score 9.8 (Critical) Attack Vector Network Affected Versions Apache bRPC < 1.15.0 Vulnerability Type Uncontrolled Recursion / Stack Overflow
This causes the server to crash, leading to a denial-of-service condition. Organizations using bRPC servers are at risk if they meet any of the following conditions.
Running a bRPC server with protobuf messages that handles HTTP+JSON requests from untrusted networks.
Using the JsonToProtoMessage function to convert JSON from untrusted input sources, Apache has provided two options to address this security issue:
Upgrade to Apache bRPC version 1.15.0, which includes the complete fix for this vulnerability. Apply the official patch available on GitHub for those unable to upgrade immediately.
Both fixes
Source: https://cybersecuritynews.com/apache-brpc-framework-vulnerability/
The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "THE1764583470",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "12/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': None,
'location': 'Global',
'name': 'Organizations using Apache bRPC',
'size': None,
'type': ['Enterprises',
'Developers',
'Service Providers']}],
'attack_vector': 'Network',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'A critical security vulnerability '
'(CVE-2025-59789, CVSS 9.8) has been discovered '
'in the Apache bRPC framework, allowing remote '
'attackers to crash servers by sending specially '
'crafted JSON data with deeply nested recursive '
'structures. The flaw exists in the json2pb '
"component, which relies on rapidjson's recursive "
'parsing method, leading to stack exhaustion and '
'denial-of-service (DoS) conditions. Affected '
'versions include all Apache bRPC releases before '
'1.15.0. Organizations running bRPC servers '
'handling HTTP+JSON requests from untrusted '
'networks or using `JsonToProtoMessage` with '
'untrusted inputs are at risk.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': 'Potential server crashes leading to '
'service unavailability',
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Disruption of services relying '
'on bRPC servers',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': ['Apache bRPC servers < 1.15.0 '
'handling HTTP+JSON requests']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': 'Network (HTTP+JSON '
'requests to bRPC '
'servers)',
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Vulnerability disclosed; '
'patches/upgrades available',
'post_incident_analysis': {'corrective_actions': ['Replace '
'recursive '
'parsing with '
'iterative '
'methods in '
'json2pb '
'(fixed in '
'v1.15.0)',
'Enforce input '
'size limits '
'for JSON '
'payloads',
'Add '
'validation '
'for recursive '
'depth in JSON '
'structures'],
'root_causes': ['Use of recursive '
'parsing in rapidjson '
'within json2pb '
'component',
'Lack of input '
'validation for '
'deeply nested JSON '
'structures',
'Default '
'configuration '
'allowing untrusted '
'JSON inputs to '
'trigger stack '
'overflow']},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': ['Upgrade to Apache bRPC 1.15.0 immediately '
'to mitigate the vulnerability.',
'Avoid using `JsonToProtoMessage` with '
'untrusted JSON inputs if upgrade/patch is '
'not feasible.',
'Monitor bRPC servers for unusual JSON '
'payloads or recursive structures.',
'Implement network-level protections (e.g., '
'WAF rules) to block malformed JSON '
'requests.'],
'references': [{'date_accessed': None,
'source': 'Apache bRPC Security Advisory',
'url': None},
{'date_accessed': None,
'source': 'CVE-2025-59789 Details',
'url': None},
{'date_accessed': None,
'source': 'GitHub Patch for CVE-2025-59789',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': ['Isolate affected bRPC '
'servers from untrusted '
'networks',
'Disable HTTP+JSON request '
'handling temporarily'],
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': ['Upgrade to Apache bRPC '
'version 1.15.0 '
'(recommended fix)',
'Apply official patch from '
'GitHub (alternative for '
'unable-to-upgrade '
'systems)'],
'third_party_assistance': None},
'title': 'Critical Stack Overflow Vulnerability in Apache bRPC '
'(CVE-2025-59789)',
'type': 'Denial-of-Service (DoS)',
'vulnerability_exploited': 'CVE-2025-59789 (Uncontrolled '
'Recursion / Stack Overflow in '
'json2pb component)'}}