Apache Brpc vulnerabilities
6 known vulnerabilities affecting apache/brpc.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2025-60021CRITICALCVSS 9.8≥ 1.11.0, < 1.15.02026-01-16
CVE-2025-60021 [CRITICAL] CWE-77 CVE-2025-60021: Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all version
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command.
Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attack
nvd
CVE-2025-59789HIGHCVSS 7.5fixed in 1.15.02025-12-01
CVE-2025-59789 [HIGH] CWE-674 CVE-2025-59789: Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms a
Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.
Root Cause:
The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the inp
nvd
CVE-2025-54472HIGHCVSS 7.5fixed in 1.14.12025-08-14
CVE-2025-54472 [HIGH] CWE-190 CVE-2025-54472: Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all p
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network.
Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the
nvd
CVE-2024-23452HIGHCVSS 7.5≥ 0.9.5, < 1.8.02024-02-08
CVE-2024-23452 [HIGH] CWE-444 CVE-2024-23452: Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows at
Request smuggling vulnerability in HTTP server in Apache bRPC 0.9.5~1.7.0 on all platforms allows attacker to smuggle request.
Vulnerability Cause Description:
The http_parser does not comply with the RFC-7230 HTTP 1.1 specification.
Attack scenario:
If a message is received with both a Transfer-Encoding and a Content-Length header field, such a me
nvd
CVE-2023-45757MEDIUMCVSS 6.1fixed in 1.6.12023-10-16
CVE-2023-45757 [MEDIUM] CWE-79 CVE-2023-45757: Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code t
Security vulnerability in Apache bRPC 1.6.0, download link: https://dist.apache.org/repos/dist/release/brpc/1.6.1/
2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch: https://github.com/apache/brpc/pull/2411
3. disable rpcz feature
nvd
CVE-2023-31039CRITICALCVSS 9.8≥ 0.9.0, < 1.5.02023-05-08
CVE-2023-31039 [CRITICAL] CWE-20 CVE-2023-31039: Security vulnerability in Apache bRPC <1.5.0 on all platforms allows attackers to execute arbitrary
Security vulnerability in Apache bRPC = 1.5.0, download link: https://dist.apache.org/repos/dist/release/brpc/1.5.0/ https://dist.apache.org/repos/dist/release/brpc/1.5.0/
2. If you are using an old version of bRPC and hard to upgrade, you can apply this patch: https://github.com/apache/brpc/pull/2218 https://github.com/apache/brpc/pull/2218
nvd