CVE-2025-59789 Overview
CVE-2025-59789 is a high-severity Denial of Service vulnerability affecting the json2pb component in Apache bRPC versions prior to 1.15.0. The vulnerability stems from uncontrolled recursion during JSON parsing, allowing remote attackers to crash servers by sending deeply nested JSON data structures. This stack exhaustion attack can be executed without authentication from any network-accessible position.
Critical Impact
Remote attackers can trigger a complete server crash through stack overflow by sending maliciously crafted deeply recursive JSON payloads, resulting in service unavailability for all users.
Affected Products
- Apache bRPC versions prior to 1.15.0 on all platforms
- bRPC servers configured to serve HTTP+JSON requests with protobuf messages
- Applications using JsonToProtoMessage function to convert JSON from untrusted sources
Discovery Timeline
- 2025-12-01 - CVE-2025-59789 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-59789
Vulnerability Analysis
The vulnerability is classified as CWE-674 (Uncontrolled Recursion) and has been assigned a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This indicates a network-exploitable vulnerability requiring no privileges or user interaction, with high impact on system availability.
The EPSS (Exploit Prediction Scoring System) data indicates a probability score of 0.633% (69.674th percentile), suggesting moderate likelihood of exploitation in the wild.
The Apache bRPC framework's json2pb component relies on the rapidjson library for parsing JSON data received from network clients. By default, rapidjson employs a recursive parsing method to traverse the JSON structure. When processing JSON documents with excessively deep nesting levels, this recursive approach consumes stack memory for each level of depth until the stack is exhausted, resulting in a stack overflow condition that crashes the server process.
Root Cause
The root cause lies in the rapidjson parser's default recursive parsing behavior within the bRPC json2pb component. The parser does not implement a recursion depth limit, allowing unlimited nesting in incoming JSON payloads. Each level of JSON nesting consumes additional stack space as the parser descends through the structure. When an attacker supplies JSON data with hundreds or thousands of nested objects or arrays, the accumulated stack frames exceed the available stack memory, triggering a stack overflow and immediate process termination.
Attack Vector
The attack vector is network-based (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N). An attacker can exploit this vulnerability by:
- Identifying a bRPC server endpoint that accepts HTTP+JSON requests
- Crafting a JSON payload with deeply nested structures (e.g., thousands of nested objects or arrays)
- Sending the malicious payload to the target server
- The server's json2pb component processes the payload, recursively parsing each level
- Stack memory is exhausted, causing the server process to crash
The attack requires only network access to a vulnerable bRPC endpoint. The deeply nested JSON structure does not need to contain valid business data—only sufficient depth to exhaust the stack. Repeated attacks can maintain a persistent denial of service condition.
Detection Methods for CVE-2025-59789
Indicators of Compromise
- Sudden server crashes or process terminations without clear application errors
- Core dumps showing stack overflow in JSON parsing functions (ProtoMessageToJson, JsonToProtoMessage, ProtoMessageToProtoJson, ProtoJsonToProtoMessage)
- Abnormally large or deeply nested JSON payloads in network traffic logs
- Repeated service restarts or watchdog triggers on bRPC servers
Detection Strategies
Network-level detection should focus on identifying JSON payloads with unusual structural characteristics. Implement deep packet inspection rules to flag JSON documents exceeding normal nesting depths for your application. Monitor for patterns of requests that consistently cause backend service failures.
Application-level monitoring should track:
- Process crash events with stack overflow signatures
- Memory consumption patterns indicating recursive operations
- Request patterns from specific sources that correlate with service instability
Log analysis should correlate timing of incoming HTTP+JSON requests with service crash events to identify potential attack attempts.
Monitoring Recommendations
Deploy application performance monitoring (APM) to track json2pb component health and response times. Configure alerting on process crashes or restarts. Implement request rate limiting and payload size restrictions on bRPC endpoints exposed to untrusted networks. Consider deploying a web application firewall (WAF) with JSON depth inspection capabilities in front of vulnerable services.
How to Mitigate CVE-2025-59789
Immediate Actions Required
- Upgrade Apache bRPC to version 1.15.0 or later, which includes the recursion depth limit fix
- Alternatively, apply the patch from the official pull request: https://github.com/apache/brpc/pull/3099
- Review and restrict network access to bRPC endpoints serving HTTP+JSON from untrusted sources
- Implement input validation to reject JSON payloads with excessive nesting before they reach the parser
Patch Information
Apache has released version 1.15.0 of bRPC that addresses this vulnerability. The fix introduces a recursion depth limit with a default value of 100 levels. This limit affects the following functions:
- ProtoMessageToJson
- ProtoMessageToProtoJson
- JsonToProtoMessage
- ProtoJsonToProtoMessage
The recursion depth limit can be configured via the gflag json2pb_max_recursion_depth. Organizations should evaluate their legitimate JSON depth requirements and adjust this value accordingly.
For additional details, refer to:
- Vendor Advisory: https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx
- Security Disclosure: http://www.openwall.com/lists/oss-security/2025/12/01/1
Workarounds
If immediate patching is not possible, implement the following workarounds:
- Network Segmentation: Restrict access to bRPC endpoints from untrusted networks using firewall rules
- Reverse Proxy Filtering: Deploy a reverse proxy that validates JSON depth before forwarding requests to bRPC servers
- Input Validation Layer: Implement application-level JSON validation that rejects deeply nested payloads
After applying the patch, applications that legitimately require JSON structures deeper than 100 levels will need to adjust the recursion limit:
# Configuration example - adjust the maximum recursion depth limit
# Set in your bRPC application configuration or startup flags
--json2pb_max_recursion_depth=200
Note that increasing this limit also increases the potential for stack consumption, so balance operational requirements with security considerations.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
