CVE-2025-59789
CVE-2025-59789 is a high-severity vulnerability in Apache Brpc with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-674.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (71st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-199979
- Weakness: CWE-674
- Affected product: Apache Brpc
- Published:
- Last modified:
Description
Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options) 1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.
Frequently asked questions
- What is CVE-2025-59789?
- Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options) 1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.
- How severe is CVE-2025-59789?
- CVE-2025-59789 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2025-59789 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (71st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-59789?
- CVE-2025-59789 affects Apache Brpc. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-59789?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-59789 have an EU (EUVD) identifier?
- Yes. CVE-2025-59789 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-199979.
- When was CVE-2025-59789 published?
- CVE-2025-59789 was published on 2025-12-01 and last updated on 2026-06-17.
References
- https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx
- http://www.openwall.com/lists/oss-security/2025/12/01/1
Affected products (1)
- cpe:2.3:a:apache:brpc:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Brpc
- CVE-2025-60021 — Critical (CVSS 9.8): Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all…
- CVE-2023-31039 — Critical (CVSS 9.8): Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary code via…
- CVE-2025-54472 — High (CVSS 7.5): Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows…
- CVE-2024-23452 — High (CVSS 7.5): Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle…
- CVE-2023-45757 — Medium (CVSS 6.1): Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz…
All CVEs affecting Apache Brpc →
Other CWE-674 (Uncontrolled Recursion) vulnerabilities
- CVE-2026-43185 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in…
- CVE-2023-51803 — Critical (CVSS 9.8): LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>"…
- CVE-2021-41752 — Critical (CVSS 9.8): Stack overflow vulnerability in Jerryscript before commit e1ce7dd7271288be8c0c8136eea9107df73a8ce2 on Oct 20, 2021 due…
- CVE-2018-1000618 — Critical (CVSS 9.8): EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2c7168 contains a stack overflow vulnerability in…
- CVE-2025-10728 — Critical (CVSS 9.4): When the module renders a Svg file that contains a <pattern> element, it might end up rendering it recursively leading…
- CVE-2026-40324 — Critical (CVSS 9.1): Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot…
Browse all CWE-674 (Uncontrolled Recursion) vulnerabilities →