Apache bRPC Uncontrolled Recursion Vulnerability in JSON Parser Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the json2pb component of Apache bRPC, affecting versions prior to 1.15.0 on all platforms. This vulnerability allows remote attackers to crash the server by sending deeply recursive JSON data. The issue arises because the bRPC json2pb component relies on rapidjson for parsing JSON from the network. The rapidjson parser, by default, uses a recursive method that can lead to stack overflow when handling JSON with a high depth of recursion. This vulnerability is particularly relevant when the bRPC server processes HTTP+JSON requests from untrusted networks or when untrusted JSON data is converted using the JsonToProtoMessage function.

Impact

Exploitation of this vulnerability causes the server to crash, leading to a denial-of-service condition.

Remediation

Users can upgrade Apache bRPC to version 1.15.0 or apply the available patch. After applying the fix, be aware that a recursion depth limit of 100 is introduced by default, which may affect the processing of JSON or protobuf messages exceeding this depth. The limit can be adjusted by modifying the 'json2pb_max_recursion_depth' gflag.