Critical Flaw In Apache bRPC Framework Allows Remote Server Crash Exploits

Apache bRPC versions before 1.15.0 are vulnerable to a critical remote denial-of-service flaw that allows attackers to crash servers by exploiting uncontrolled recursion in the json2pb component.

The vulnerability, tracked as CVE-2025-59789 and discovered by Tyler Zars, affects all platforms running vulnerable versions of the framework and poses a significant risk to production environments processing HTTP+JSON requests over untrusted networks.

The core issue stems from how the bRPC JSON2PB component handles JSON parsing through the rapidjson library.

The parser employs a recursive parser by default, which, under normal circumstances, processes JSON data efficiently.

However, when an attacker sends deeply nested JSON structures to an affected server, the recursive parsing functions exhaust stack space, triggering a stack overflow that crashes the server process.

Technical Vulnerability Details

The attack vector is straightforward and requires minimal sophistication. Any system running bRPC as an HTTP+JSON server that accepts requests from untrusted networks becomes vulnerable.

Additionally, applications directly calling the JsonToProtoMessage function with untrusted JSON input face the same risk.

An attacker needs only to craft a JSON payload with excessive nesting depth and send it to the target server.

The parser attempts to recursively process each nested level until the stack becomes exhausted, resulting in immediate service interruption.

The vulnerability is particularly concerning because it requires no authentication or special privileges.

A completely anonymous attacker on any network path to the server can trigger the denial-of-service condition.

Organizations relying on bRPC for critical services could face unexpected downtime, affecting business operations and potentially customer-facing applications.

Remediation and Deployment Considerations

Apache has addressed this vulnerability in version 1.15.0, which introduces a default recursion depth limit of 100 levels.

Organizations can either upgrade to the patched version or apply the fix directly from the GitHub pull request #3099.

However, administrators must be aware that the fix introduces behavioral changes to four critical functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.

The recursion depth limit means that any JSON or protobuf messages exceeding the default threshold will fail processing after the patch is applied.

This could affect legitimate requests that contain deeply nested structures.

To accommodate such scenarios, bRPC provides the gflag parameter json2pb_max_recursion_depth, allowing administrators to increase the limit based on their specific requirements.

Organizations should first audit their applications to determine whether legitimate messages exceed the default 100-level threshold before deploying the fix to production.

Testing should verify that patched systems handle both malicious, deeply nested payloads and legitimate application traffic correctly.

Recommended Action Timeline

Affected organizations should prioritize upgrading to bRPC 1.15.0 or immediately applying the security patch, particularly if their systems handle requests from untrusted networks.

The vulnerability is highly severe due to its ease of exploitation and its direct impact on service availability.