Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-54472

Good to know:

icon

Date: August 14, 2025

Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it. The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0.

Severity Score

Related Resources (4)

https://lists.apache.org/thread/r3xsy3wvs4kmfhc281173k5b6ll1xt2m
https://nvd.nist.gov/vuln/detail/CVE-2025-54472
https://seclists.org/oss-sec/2025/q3/93
https://www.mend.io/vulnerability-database/CVE-2025-54472

Severity Score

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

Uncontrolled Resource Consumption

CWE-400

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/apache/brpc.git - 1.14.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us