CVE-2025-59789 is a vulnerability in the Apache bRPC framework's json2pb component, specifically in versions before 1.15.0. The root cause is the use of the rapidjson parser's default recursive parsing method, which does not limit recursion depth. When processing JSON data with excessive nesting, this leads to uncontrolled recursion, causing stack overflow and ultimately crashing the server process. This vulnerability can be exploited remotely by attackers sending specially crafted HTTP+JSON requests containing deeply nested JSON structures to bRPC servers that use protobuf messages. The affected functions include ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. The vulnerability does not require authentication or user interaction, making it easier to exploit. The fix, introduced in bRPC version 1.15.0 and available as a patch, enforces a recursion depth limit (default 100) to prevent stack overflow. This limit can be adjusted via the gflag json2pb_max_recursion_depth to balance security and functionality. However, requests with JSON or protobuf messages exceeding this depth will fail after applying the fix. No known exploits are currently reported in the wild, but the vulnerability's high CVSS score (7.5) reflects its potential impact on availability. This vulnerability is categorized under CWE-674 (Uncontrolled Recursion).

For European organizations, the primary impact of CVE-2025-59789 is denial-of-service (DoS) due to server crashes triggered by maliciously crafted JSON payloads. Organizations using Apache bRPC in public-facing services or internal APIs that accept JSON input from untrusted networks are vulnerable. This can lead to service outages, affecting business continuity and potentially causing reputational damage. Critical sectors such as finance, telecommunications, and government services relying on bRPC for RPC communication may experience disruptions. The vulnerability does not compromise confidentiality or integrity directly but can be leveraged as part of a broader attack strategy to degrade service availability. Given the ease of remote exploitation without authentication, attackers can launch automated attacks at scale. The recursion depth limit introduced in the fix may also impact legitimate applications that use deeply nested JSON or protobuf messages, requiring careful configuration to avoid service disruptions.

European organizations should prioritize upgrading Apache bRPC to version 1.15.0, which contains the official fix for this vulnerability. If immediate upgrade is not feasible, applying the patch from the Apache bRPC GitHub repository (PR #3099) is recommended. After applying the fix, review and adjust the gflag json2pb_max_recursion_depth to accommodate legitimate JSON/protobuf message depths without compromising security. Implement network-level protections such as web application firewalls (WAFs) and rate limiting to detect and block anomalous requests with excessively deep JSON structures. Monitor logs for repeated crashes or malformed JSON payloads indicative of exploitation attempts. Conduct thorough testing of applications using bRPC to identify any legitimate use cases of deep recursion that may be affected by the recursion depth limit and refactor them if necessary. Additionally, segment and isolate bRPC services to minimize the blast radius of potential DoS attacks. Maintain up-to-date threat intelligence feeds to detect emerging exploit attempts targeting this vulnerability.