A new, highly dangerous security threat has been identified in the cybersecurity landscape. A vulnerability labeled CVE-2025-59789 has been discovered in the Apache bRPC (Baidu RPC) framework, allowing attackers to remotely crash servers. The severity score of this flaw is CVSS 9.8, placing it in the “Critical” category — the highest risk level.

What is the essence of the vulnerability?

Apache bRPC is a high-performance RPC framework widely used by major companies and services. The vulnerability was found in the json2pb component, which converts incoming JSON data into Protocol Buffer (protobuf) format.

The json2pb module relies on the rapidjson library, which processes JSON data using a recursive parsing technique. Attackers can exploit this mechanism by sending:

• deeply nested JSON structures,
• recursive or self-referencing elements,
• specially crafted JSON payloads.

As a result, the parser function falls into excessive recursion and eventually exhausts the stack memory. This leads to a stack overflow, causing the bRPC server to crash and bringing all services relying on it to a halt.

Which versions are affected?

All of the following are vulnerable:

• Apache bRPC versions below 1.15.0
• All operating systems running the framework
• Any server that handles protobuf messages over HTTP+JSON

Systems receiving JSON from untrusted networks are at especially high risk.

Impact: Full Denial-of-Service (DoS)

A successful attack results in:

• server shutdown,
• inability to accept new connections,
• disruption of dependent services,
• temporary unavailability of critical systems.

This not only undermines service quality but also poses significant business and operational risks.

Apache’s official solutions

To address this issue, Apache has released two types of fixes:

1. Full upgrade

• Update to bRPC version 1.15.0.
• Ensures complete mitigation and improved stability.

2. Apply the official patch

If an immediate upgrade is not possible, the official patch published on GitHub can be installed.

Important update: recursion depth limit

The new version and patch introduce a recursion depth limit:

• Default maximum depth → 100

This limit applies to:

• ProtoMessageToJson
• ProtoMessageToProtoJson
• JsonToProtoMessage
• ProtoJsonToProtoMessage

Any JSON or protobuf message exceeding this depth will be rejected.

Administrators can customize the limit using the configuration flag:

json2pb_max_recursion_depth

Security recommendations

Organizations and IT teams should urgently take the following actions:

✔ 1. Update all servers

Move to bRPC 1.15.0 or apply the official patch.

✔ 2. Validate all JSON sources

Inputs from untrusted networks pose the highest risk.

✔ 3. Adjust recursion limits

Configure a safe threshold based on application needs.

✔ 4. Strengthen monitoring and log analysis

Detect stack-overflow-related crashes as early as possible.

✔ 5. Use traffic filtering and WAF

Block deeply recursive JSON structures before they reach the server.

The CVE-2025-59789 vulnerability in Apache bRPC is a serious threat to modern server infrastructures. Attackers can craft malicious JSON payloads capable of completely crashing a server, causing severe business disruptions.

System administrators and security specialists should act quickly by:

• performing updates,
• applying patches,
• monitoring and controlling incoming data.

Today, cybersecurity is not just a technical requirement — it is a core pillar of every organization’s stability. With timely action, the impact of this vulnerability can be fully prevented.