CVE-2025-54472 in bRPC
Summary
by MITRE • 08/14/2025
Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network.
Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it. The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0.
Affected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.
How to Fix: we provide two methods, you can choose one of them:
1. Upgrade bRPC to version 1.14.1. 2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually.
No matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/15/2025
The vulnerability CVE-2025-54472 represents a critical denial-of-service flaw in Apache bRPC's Redis protocol parser affecting all versions prior to 1.14.1. This issue stems from unlimited memory allocation behavior where the parser dynamically allocates memory based on integer values received from network packets without proper bounds checking. The root cause aligns with CWE-122, heap-based buffer overflow, as the system fails to validate input data before memory allocation occurs. When maliciously crafted packets containing excessively large integer values are sent to the bRPC service, the parser attempts to allocate memory that exceeds system limits, resulting in allocation failures and subsequent service crashes. This vulnerability specifically targets the Redis protocol implementation within bRPC, making it particularly dangerous for systems that rely on bRPC as a Redis server or client.
The operational impact of this vulnerability extends across multiple deployment scenarios where bRPC services interact with untrusted network entities. Systems using bRPC as a Redis server to handle client connections or using bRPC as a Redis client to communicate with external Redis services are both at risk. Attackers can exploit this weakness by sending specially crafted network packets that contain oversized array or string size indicators, triggering the memory allocation overflow condition. The vulnerability's exploitation mechanism aligns with ATT&CK technique T1499.004, network denial of service, where adversaries leverage protocol parsing flaws to cause service disruption. The attack vector is particularly concerning because it requires minimal sophistication to execute, making it a preferred method for attackers seeking to compromise service availability.
The initial attempt to address this issue in bRPC version 1.14.0 introduced memory allocation size limitations but contained a critical flaw in the implementation that allowed integer overflow conditions to bypass the intended protections. This oversight demonstrates a failure in proper input validation and boundary checking, reflecting weaknesses in software security engineering practices. The integer overflow in version 1.14.0 creates a bypass scenario where attackers can still trigger the vulnerability using different integer ranges than those originally affected, rendering the partial fix ineffective. This particular vulnerability manifestation connects to CWE-191, integer underflow or overflow, and highlights the importance of comprehensive testing for edge cases in security-critical code paths. The fact that the vulnerability persists in version 1.14.0 despite the attempted fix indicates that the security controls were insufficiently robust to prevent all attack vectors.
The recommended remediation approaches provide organizations with clear paths to address the vulnerability. Upgrading to bRPC version 1.14.1 represents the most straightforward solution, as this release contains a properly implemented fix that correctly handles memory allocation limits. Alternatively, organizations can manually apply the patch referenced in the advisory, which provides the same protective measures. Both approaches implement a maximum memory allocation limit of 64 megabytes for individual allocations within the Redis parser, preventing excessive memory consumption that leads to crashes. However, this default limit may impact legitimate operations involving large Redis requests or responses, requiring administrators to adjust the gflag redis_max_allocation_size parameter to accommodate their specific operational requirements. This adjustment process must balance security protection with operational functionality, as setting limits too high may reintroduce vulnerability risks while setting them too low may cause legitimate service disruptions. The implementation of these fixes directly addresses the underlying security weakness by enforcing proper bounds checking and preventing the exploitation scenarios that lead to service crashes.