Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <0f9c3308-8d5a-84e2-27df-b661347ffffc@apache.org>
Date: Mon, 01 Dec 2025 02:26:07 +0000
From: Wang Weibing <wwbmmm@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded
 Recursion in JSON Parser 

Severity: critical 

Affected versions:

- Apache bRPC before 1.15.0

Description:

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.

Root Cause:
The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.

Affected Scenarios:
Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input.



How to Fix: 
(Choose one of the following options) 
1. Upgrade bRPC to version 1.15.0, which fixes this issue.
2. Apply this patch:  https://github.com/apache/brpc/pull/3099 



Note:
No matter which option 

you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: 

ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.

 If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.

Credit:

Tyler Zars (finder)

References:

https://brpc.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-59789

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.