Apache bRPC Server Crash

An Apache bRPC server crash disrupts service, often manifesting as An Apache bRPC server crash disrupts service, often manifesting as segmentation faults or unexpected exits.

Primary causes include:
1. **Memory Corruption:** Use-after-free, double-free, or buffer overflows within user code or bRPC's internal handling of complex data.
2. **Race Conditions:** Concurrent access issues leading to data corruption or deadlocks.
3. **Resource Exhaustion:** Running out of file descriptors, memory, or thread pool capacity.
4. **Unhandled Exceptions:** Exceptions thrown by user-defined RPC methods that aren't caught.
5. **Network Issues:** Malformed requests or underlying network instability.

Debugging involves analyzing system logs (dmesg, syslog), bRPC's own error logs, and core dump files. Tools like `gdb` are essential to trace the stack and pinpoint the exact crash location. Proactive monitoring of system resources helps identify precursors. Ensuring robust error handling and thorough testing are key to stability.

Severity: critical

Affected versions:

- Apache bRPC before 1.15.0

Description:

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.

Root Cause:
The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.

Affected Scenarios:
Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input.



How to Fix:
(Choose one of the following options)
1. Upgrade bRPC to version 1.15.0, which fixes this issue.
2. Apply this patch: https://github.com/apache/brpc/pull/3099



Note:
No matter which option

you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:

ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.

If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.

Credit:

Tyler Zars (finder)

References:

https://brpc.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-59789