Critical Apache bRPC JSON Parsing Vulnerability Allows Remote, Unauthenticated DoS (CVE-2025-59789)
December 5th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring CVE-2025-59789, a critical denial-of-service vulnerability affecting Apache bRPC versions prior to 1.15.0 (public disclosure: 01 Dec 2025). The vulnerability stems from uncontrolled recursion in the framework’s json2pb component, which can cause stack exhaustion and crash affected servers when deeply nested JSON structures are encountered. Because bRPC is widely used in high-performance microservices, backend APIs, and distributed systems, successful exploitation can immediately disrupt service availability without requiring authentication. Organizations relying on bRPC should treat this as a critical availability issue and apply patches or mitigations as soon as possible.
Technical Details
CVE ID: CVE-2025-59789.
Severity: Critical (per vendor); CVSS v3.1 7.5 High (CISA ADP).
Vulnerability Type: Remote Denial-of-Service via Uncontrolled Recursion.
Attack Chain:
The vulnerability exists in Apache bRPC’s json2pb JSON-to-Protobuf conversion logic, which uses rapidjson’s recursive parsing model.
When an attacker sends a deeply nested JSON payload to a bRPC endpoint that processes untrusted input, the parser enters uncontrolled recursion.
Excessive call depth results in stack exhaustion, leading to a segmentation fault or process termination.
The attack requires no authentication, can be executed remotely, and can be repeated to maintain service downtime.
Affected Versions: Apache bRPC before 1.15.0
Patch and Mitigation Details:
The official fix (GitHub PR #3099) introduces:
A default recursion-depth limit of 100 for JSON-to-Protobuf conversions.
A configurable gflag: json2pb_max_recursion_depth.
Automatic rejection of inputs exceeding the configured depth limit.
Attack Surface:
bRPC services that accept JSON payloads over public or internal networks.
Any microservice, API, or distributed system component performing JSON-to-Protobuf conversion on untrusted input.
Impact
Exploitation of CVE-2025-59789 allows a remote, unauthenticated attacker to crash any service that uses the vulnerable bRPC JSON parser. Potential impacts include:
Immediate Denial-of-Service for applications relying on the affected bRPC server.
Disruption of microservices and distributed workflows due to upstream/downstream dependency failures.
Cascading outages triggered by retries, timeouts, or orchestrator-driven restarts.
Repeated exploitation results in sustained service instability.
Elevated risk to availability SLAs for customer-facing or high-volume workloads.
Operational overhead associated with manual restarts, failover events, or emergency remediation.
Detection Method
Server & Application Logs:
Crashes occurring immediately after receiving unusually deep JSON structures.
Stack overflow errors, segmentation faults, or unhandled exceptions from JSON parsing routines.
Repeated termination of bRPC worker processes or containers.
Network Indicators:
Bursts of RPC traffic containing abnormally large or deeply nested JSON payloads.
Repeated requests targeting endpoints that perform JSON-to-Protobuf conversion.
Irregular traffic spikes correlated with service crashes.
Service Health Monitoring:
Unexpected service restarts or rapid container/pod churn in Kubernetes environments.
Episodic downtime synchronized with anomalous inbound request activity.
Version Audit:
Inventory bRPC deployments and flag instances running < 1.15.0
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Immediate Actions:
Upgrade Apache bRPC to version 1.15.0 or later.
Restrict network exposure to bRPC services via firewall rules, IP allowlists, or API gateways.
Enforce input validation and request size limits at the application or gateway layers.
Increase monitoring for crash loops, parser errors, and anomalous RPC traffic.
Security Hardening:
Apply rate limiting on RPC endpoints to reduce the impact of automated crash attempts.
Deploy reverse proxies or WAF controls to reject malformed or excessively nested JSON payloads.
Review past logs for unexplained service crashes that may indicate prior probing or exploitation.
Segment critical systems so that a single bRPC failure cannot cascade across production workloads.
Conclusion
CVE-2025-59789 presents a critical availability threat for organizations using Apache bRPC. The vulnerability can be exploited remotely without authentication, allowing attackers to repeatedly crash affected services by sending crafted, deeply nested JSON. Although this vulnerability does not allow code execution, its potential to disrupt high-performance microservices and distributed systems makes timely patching essential. We urge organizations to upgrade to bRPC 1.15.0, limit exposure of RPC endpoints, and enforce strict input controls to prevent service outages and maintain operational resilience.