Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-59789

Опубликовано: 01 дек. 2025
Источник: nvd
CVSS3: 7.5
EPSS Низкий

Описание

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.

Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.

Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input.

How to Fix: (Choose one of the following options) 

  1. Upgrade bRPC to version 1.15.0, which fixes this issue.
  2. Apply this patch: https://github.com/apache/brpc/pull/3099

Note: No matter which option

you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: 

ProtoMessageToJso

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:apache:brpc:*:*:*:*:*:*:*:*
Версия до 1.15.0 (исключая)

EPSS

Процентиль: 66%
0.00521
Низкий

7.5 High

CVSS3

Дефекты

CWE-674

Связанные уязвимости

debian логотип

CVE-2025-59789

CVSS3: 7.5
debian
2 месяца назад

Uncontrolled recursion in the json2pb component in Apache bRPC (versio ...

github логотип

GHSA-x4fp-gjpv-c6r5

CVSS3: 7.5
github
2 месяца назад

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options)  1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:  ProtoMessageTo...

fstec логотип

BDU:2025-15100

CVSS3: 7.5
fstec
5 месяцев назад

Уязвимость библиотеки rapidjson парсера json2pb RPC-фреймворка Apache bRPC, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 66%
0.00521
Низкий

7.5 High

CVSS3

Дефекты

CWE-674