Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2025-59789

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options)  1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:  ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 32.4%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2025-59789
  • Apache » Brpc » Version: 0.9.0
    cpe:2.3:a:apache:brpc:0.9.0
  • Apache » Brpc » Version: 0.9.5
    cpe:2.3:a:apache:brpc:0.9.5
  • Apache » Brpc » Version: 0.9.6
    cpe:2.3:a:apache:brpc:0.9.6
  • Apache » Brpc » Version: 0.9.7
    cpe:2.3:a:apache:brpc:0.9.7
  • Apache » Brpc » Version: 0.9.8
    cpe:2.3:a:apache:brpc:0.9.8
  • Apache » Brpc » Version: 1.0.0
    cpe:2.3:a:apache:brpc:1.0.0
  • Apache » Brpc » Version: 1.0.1
    cpe:2.3:a:apache:brpc:1.0.1
  • Apache » Brpc » Version: 1.1.0
    cpe:2.3:a:apache:brpc:1.1.0
  • Apache » Brpc » Version: 1.10.0
    cpe:2.3:a:apache:brpc:1.10.0
  • Apache » Brpc » Version: 1.11.0
    cpe:2.3:a:apache:brpc:1.11.0
  • Apache » Brpc » Version: 1.12.0
    cpe:2.3:a:apache:brpc:1.12.0
  • Apache » Brpc » Version: 1.12.1
    cpe:2.3:a:apache:brpc:1.12.1
  • Apache » Brpc » Version: 1.13.0
    cpe:2.3:a:apache:brpc:1.13.0
  • Apache » Brpc » Version: 1.14.0
    cpe:2.3:a:apache:brpc:1.14.0
  • Apache » Brpc » Version: 1.14.1
    cpe:2.3:a:apache:brpc:1.14.1
  • Apache » Brpc » Version: 1.2.0
    cpe:2.3:a:apache:brpc:1.2.0
  • Apache » Brpc » Version: 1.3.0
    cpe:2.3:a:apache:brpc:1.3.0
  • Apache » Brpc » Version: 1.4.0
    cpe:2.3:a:apache:brpc:1.4.0
  • Apache » Brpc » Version: 1.5.0
    cpe:2.3:a:apache:brpc:1.5.0
  • Apache » Brpc » Version: 1.6.0
    cpe:2.3:a:apache:brpc:1.6.0
  • Apache » Brpc » Version: 1.6.1
    cpe:2.3:a:apache:brpc:1.6.1
  • Apache » Brpc » Version: 1.7.0
    cpe:2.3:a:apache:brpc:1.7.0
  • Apache » Brpc » Version: 1.8.0
    cpe:2.3:a:apache:brpc:1.8.0
  • Apache » Brpc » Version: 1.9.0
    cpe:2.3:a:apache:brpc:1.9.0


Products
Pricing
Contact Us

Shodan ® - All rights reserved