Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-59789

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.Root Cause:T...
Back to all
CVE

CVE-2025-59789

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.Root Cause:T...

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.

Root Cause:

The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.

Affected Scenarios:

Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input.

How to Fix: 

(Choose one of the following options) 

  1. Upgrade bRPC to version 1.15.0, which fixes this issue.
  2. Apply this patch:  https://github.com/apache/brpc/pull/3099 

Note:

No matter which option 

you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: 

ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.

 If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pbmaxrecursion_depth to change the limit.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
-

Related Resources

No items found.

References

https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx, http://www.openwall.com/lists/oss-security/2025/12/01/1

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00707%
EPSS Percentile
0.71664%
Introduced Version
0
Fix Available
50a9075de62f1d2b825b902acbfecfddb3d9f314

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading