A critical vulnerability, CVE‑2025‑59789, has been identified in the Apache bRPC framework, affecting all versions prior to 1.15.0. Assigned a CVSS score of high, this flaw allows remote attackers to crash vulnerable servers by sending maliciously crafted JSON data. The issue resides in the json2pb component, which converts JSON input into Protocol Buffer messages and is widely used in systems that expose HTTP+JSON bRPC endpoints. Because json2pb relies on rapidjson, a parser that uses recursive parsing by default, it becomes susceptible to stack exhaustion under certain conditions.

Attackers can exploit this weakness by sending deeply nested or excessively recursive JSON structures. As rapidjson processes these nested objects, its recursive functions increasingly consume stack memory until a stack overflow occurs, crashing the bRPC server and resulting in a denial‑of‑service (DoS) condition. Systems are especially at risk if they accept JSON from untrusted external networks or use the JsonToProtoMessage function to process untrusted data. Any deployment scenario that accepts public or semi‑public HTTP/JSON traffic through bRPC is exposed to this attack vector.

To address this issue, Apache has released a complete fix in bRPC version 1.15.0 and an official GitHub patch for environments unable to upgrade immediately. Both solutions add a recursion depth limit, set by default to 100, preventing excessively nested messages from triggering uncontrolled recursion. This update modifies four core functions ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage ensuring that recursive data structures are safely handled without risking stack exhaustion during parsing.

Organizations should be aware that after applying the patch or upgrading, any incoming JSON or protobuf message exceeding the depth limit will automatically fail. Administrators can adjust this threshold using the json2pb_max_recursion_depth gflag to match operational needs. Security teams are strongly advised to evaluate their environments, verify whether bRPC servers process untrusted JSON input, and immediately apply the necessary patches to prevent DoS attacks that could disrupt critical services dependent on Apache bRPC.