Apache bRPC Vulnerability Enables Network-Based Attacks to Crash the Service

A severe vulnerability has been discovered in Apache bRPC, affecting all versions prior to 1.14.1. This vulnerability, identified as CVE-2025-54472 and classified with “important” severity, arises from unlimited memory allocation in the Redis protocol parser component. Attackers can exploit this flaw by sending crafted packets containing excessively large integers, which leads to memory allocation failures and ultimately crashes the service. The vulnerability poses significant risks, particularly for bRPC deployments acting as Redis servers for untrusted clients or as Redis clients connecting to potentially compromised Redis services. The attack vector requires only network access to the target service, making it especially dangerous for internet-facing deployments.

To mitigate this vulnerability, organisations are advised to upgrade to Apache bRPC version 1.14.1, which includes proper bounds checking for memory allocation requests. Alternatively, administrators can manually apply the available security patch. The fix introduces a default maximum allocation limit of 64MB per Redis parser operation, controlled by the redis_max_allocation_size gflag parameter. Organisations processing Redis requests or responses exceeding this limit should adjust the parameter accordingly to prevent legitimate operations from failing after the upgrade. Comprehensive documentation and patches have been released by the Apache bRPC project through their official channels. 

Categories: Vulnerability Management, Denial of Service, Software Upgrade 

Tags: Apache bRPC, Vulnerability, CVE-2025-54472, Redis Protocol, Memory Allocation, Denial of Service, Network Exploitation, Upgrade, Security Patch, Integer Overflow