CVE-2024-23452

Apache bRPC’s HTTP server (versions 0.9.5–1.7.0) is affected by a request-smuggling issue caused by non-compliance of the http_parser with RFC 7230 when handling messages with both Transfer-Encoding and Content-Length. In the described scenario, a frontend server using TE can cause a backend bRPC...

CVE-2023-31039

CVE-2023-31039 affects Apache bRPC prior to 1.5.0. The vulnerability arises from the ServerOptions::pid_file parameter, which, if influenced at startup, enables arbitrary code execution with the bRPC process permissions. Affected: brpc

CVE-2023-45757

CVE-2023-45757 affects Apache bRPC 1.6.0 (e.g., 1.6.1), (2) apply the patch from PR #2411 if upgrading is difficult, or (3) disable the rpcz feature. If exploitation details or in-the-wild data are not present in the provided documents, those specifics are not stated here.

CVE-2025-60021

Apache bRPC CVE-2025-60021 is a remote command injection in the heap profiler built-in service (/pprof/heap) affecting all versions

CVE-2025-59789

CVE-2025-59789 : Apache bRPC’s json2pb component (uses rapidjson) is vulnerable to stack/exhaustion via deeply recursive JSON input, causing server crashes. Affected: bRPC

CVE-2025-54472

CVE-2025-54472 affects Apache bRPC’s Redis protocol parser. The root cause is unbounded memory allocation when parsing Redis protocol data, where arrays/strings are allocated based on network-provided integers; if a value is too large, a bad_alloc can crash the service. The issue also affects 1.1...