High

Uncontrolled Recursion DoS in Apache bRPC json2pb

IdentifiersCVE-2025-59789CWE-674· Uncontrolled Recursion

CVE-2025-59789 is an uncontrolled recursion vulnerability in the json2pb component of Apache bRPC affecting versions prior to 1.15.0. The issue arises because json2pb uses RapidJSON to parse JSON input, and RapidJSON's default parsing behavior is recursive. When a bRPC server or application processes attacker-supplied JSON containing excessively deep nested structures, the recursive parser can exhaust the process stack and crash. The vulnerable scenarios described are bRPC servers using protobuf messages to serve HTTP+JSON requests from untrusted networks, and applications that directly call JsonToProtoMessage on untrusted input. The fix introduces a recursion depth limit, defaulting to 100, and applies to ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote attacker can trigger stack exhaustion and crash the affected server or process by sending deeply nested recursive JSON data. Based on the provided information, the impact is denial of service rather than code execution: the target becomes unavailable or the request-handling process terminates when the parser overflows the stack.

Mitigation

If you can’t patch tonight, do this now.

Until the fix is deployed, reduce exposure by preventing untrusted clients from sending arbitrary deep JSON payloads to affected bRPC HTTP+JSON endpoints, especially those converting JSON into protobuf messages. Where possible, place affected services behind input validation, schema enforcement, request filtering, API gateways, or WAF controls that reject excessively nested JSON. Restrict network access to trusted clients only. For deployments that must accept nested data, monitor for crashes and anomalous requests indicative of deep-recursion payloads. After patching, tune json2pb_max_recursion_depth to a safe value appropriate for expected message structures.

Remediation

Patch, then assume compromise.

Upgrade Apache bRPC to version 1.15.0 or later, which includes the fix for CVE-2025-59789. If an upgrade is not immediately possible, apply the patch referenced in Apache bRPC pull request #3099. The fix adds a recursion depth limit with a default value of 100. After remediation, review application behavior for legitimate JSON or protobuf payloads with nesting deeper than the configured limit, and adjust the json2pb_max_recursion_depth gflag if operationally necessary.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationBrpcapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

the hacker newsNews

Dec 8, 2025

⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More

A vulnerability in Apache bRPC. Details not specified in the content.

security online infoNews

Dec 1, 2025

CVE-2025-59789: Critical Flaw in Apache bRPC Framework Exposes High-Performance Systems to Crash Risks

A critical vulnerability in the Apache bRPC framework that exposes high-performance systems to crash risks.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-59789

NVD

nvd.nist.gov/vuln/detail/CVE-2025-59789

MITRE CWE · CWE-674

Uncontrolled Recursion

Patch

lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx

Third Party Advisory

openwall.com/lists/oss-security/2025/12/01/1