A severe vulnerability in Apache bRPC has been discovered that allows attackers to crash services through network exploitation, affecting all versions prior to 1.14.1.
The vulnerability, identified as CVE-2025-54472 with “important” severity classification, stems from unlimited memory allocation in the Redis protocol parser component.
Key Takeaways
1. Apache bRPC versions before 1.14.1 have a Redis parser vulnerability.
2. Attackers send crafted packets with large integers to trigger memory allocation failures.
3. Upgrade or apply GitHub patch.
Apache bRPC Vulnerability
The root cause of this vulnerability lies in the bRPC Redis protocol parser’s handling of network data.
When processing Redis protocol messages, the parser allocates memory for arrays or strings based on integer values read directly from network packets without proper validation.
Malicious actors can exploit this by transmitting specially crafted data packets containing excessively large integer values, triggering a bad_alloc error that causes immediate service termination.
The vulnerability affects critical usage scenarios, including bRPC deployments functioning as Redis servers serving untrusted clients, and bRPC instances acting as Redis clients connecting to potentially compromised Redis services.
The attack vector requires only network access to the target service, making it particularly dangerous for internet-facing deployments.
Notably, Apache bRPC version 1.14.0 attempted to address this issue by implementing memory allocation size limitations.
However, the fix contained a critical implementation flaw that allowed integer overflow conditions to bypass the security controls, leaving version 1.14.0 vulnerable to exploitation through different integer ranges.
Tyler Zars receives credit for discovering and reporting this vulnerability.
| Risk Factors | Details |
| Affected Products | Apache bRPC all versions < 1.14.1 (all platforms) |
| Impact | Denial of Service |
| Exploit Prerequisites | – Network access to target bRPC service- Service configured as Redis server with untrusted clients OR- Service configured as Redis client connecting to untrusted Redis servers |
| Severity | Important |
Mitigations
Organizations can remediate this vulnerability through two primary approaches. The recommended solution involves upgrading to Apache bRPC version 1.14.1, which implements proper bounds checking for memory allocation requests.
Alternatively, administrators can manually apply the available security patch.
The implemented fix introduces a default maximum allocation limit of 64MB per Redis parser operation, controlled by the redis_max_allocation_size gflag parameter.
Organizations processing Redis requests or responses exceeding 64MB should adjust this parameter accordingly to prevent legitimate operations from failing post-upgrade.
The Apache bRPC project has released comprehensive documentation and patches through their official channels, emphasizing the critical nature of this security update for production environments handling untrusted network traffic.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
