{
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
      },
      "title": "Stack Exhaustion via Unbounded Recursion in JSON Parser",
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-674 Uncontrolled Recursion",
              "lang": "en",
              "cweId": "CWE-674",
              "type": "CWE"
            }
          ]
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "affected": [
        {
          "vendor": "Apache Software Foundation",
          "product": "Apache bRPC",
          "versions": [
            {
              "status": "affected",
              "version": "0",
              "lessThan": "1.15.0",
              "versionType": "semver"
            }
          ],
          "defaultStatus": "unaffected"
        }
      ],
      "descriptions": [
        {
          "value": "Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.\n\nRoot Cause:\nThe bRPC\u00a0json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.\n\nAffected Scenarios:\nUse bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use\u00a0JsonToProtoMessage to convert json from\u00a0untrusted input.\n\n\n\nHow to Fix: \n(Choose one of the following options)\u00a0\n1. Upgrade bRPC to version 1.15.0, which fixes this issue.\n2. Apply this patch:  https://github.com/apache/brpc/pull/3099 \n\n\n\nNote:\nNo matter which option \n\nyou choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:\u00a0\n\nProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.\n\n If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.",
          "lang": "en",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "Uncontrolled recursion in the json2pb component in Apache bRPC (version &lt; 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.<br><br>Root Cause:<br>The bRPC&nbsp;json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.<br><br>Affected Scenarios:<br>Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use&nbsp;JsonToProtoMessage to convert json from&nbsp;untrusted input.\n\n<br><br>How to Fix: <br>(<span style=\"background-color: rgb(255, 255, 255);\">Choose one of the following options)&nbsp;</span><br>1. Upgrade bRPC to version 1.15.0, which fixes this issue.<br><span style=\"background-color: rgb(255, 255, 255);\">2. Apply this patch: </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/brpc/pull/3099\">https://github.com/apache/brpc/pull/3099</a>\n\n<br><br>Note:<br>No matter which option \n\n<span style=\"background-color: rgb(255, 255, 255);\">you choose</span>, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:&nbsp;\n\n<span style=\"background-color: rgb(255, 255, 255);\">ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.</span>\n\n If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit."
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "type": "Textual description of severity",
            "content": {
              "text": "critical"
            }
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Tyler Zars",
          "type": "finder"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "cveId": "CVE-2025-59789",
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "serial": 1,
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}