A critical security flaw (CVE-2025-59789) in Apache bRPC framework allows remote attackers to crash servers by sending deeply nested JSON data. The vulnerability affects all versions before 1.15.0 and exploits the json2pb component's recursive parsing method, causing stack overflow crashes.
Servers handling HTTP+JSON requests from untrusted networks are particularly at risk. Apache has released version 1.15.0 with a complete fix, plus an official GitHub patch for immediate deployment.
The fix introduces a default recursion depth limit of 100, which administrators can adjust. Security teams should patch immediately to prevent denial-of-service attacks.
Source: Cyber Security News