CVE-2025-54472

{"id": "CVE-2025-54472", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-14T09:15:26.683", "references": [{"url": "https://lists.apache.org/thread/r3xsy3wvs4kmfhc281173k5b6ll1xt2m", "source": "security@apache.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network.\n\n\n\nRoot Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it.\nThe bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the\u00a01.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0.\n\n\n\nAffected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services.\n\n\n\nHow to Fix: we provide two methods, you can choose one of them:\n\n1. Upgrade bRPC to version 1.14.1.\n2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually.\n\nNo matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag\u00a0redis_max_allocation_size to set a larger limit."}, {"lang": "es", "value": "La asignaci\u00f3n ilimitada de memoria en el analizador de protocolo Redis de Apache bRPC (todas las versiones anteriores a la 1.14.1) en todas las plataformas permite a los atacantes bloquear el servicio a trav\u00e9s de la red. Causa ra\u00edz: En el c\u00f3digo del analizador de protocolo Redis de bRPC, la memoria para matrices o cadenas de tama\u00f1os correspondientes se asigna en funci\u00f3n de los enteros le\u00eddos de la red. Si el entero le\u00eddo de la red es demasiado grande, puede causar un error de asignaci\u00f3n incorrecta y provocar el bloqueo del programa. Los atacantes pueden explotar esta caracter\u00edstica enviando paquetes de datos especiales al servicio bRPC para llevar a cabo un ataque de denegaci\u00f3n de servicio. La versi\u00f3n bRPC 1.14.0 intent\u00f3 solucionar este problema limitando el tama\u00f1o de la asignaci\u00f3n de memoria; sin embargo, el c\u00f3digo de comprobaci\u00f3n de limitaciones no est\u00e1 bien implementado, lo que puede causar un desbordamiento de enteros y evadir dicha limitaci\u00f3n. Por lo tanto, la versi\u00f3n 1.14.0 tambi\u00e9n es vulnerable, aunque el rango de enteros que afecta a la versi\u00f3n 1.14.0 es diferente al que afecta a la versi\u00f3n anterior. Escenarios afectados: Usar bRPC como servidor Redis para proporcionar servicios de red a clientes no confiables, o usar bRPC como cliente Redis para llamar a servicios Redis no confiables. C\u00f3mo solucionarlo: ofrecemos dos m\u00e9todos, puede elegir uno de ellos: 1. Actualice bRPC a la versi\u00f3n 1.14.1. 2. Aplique este parche (https://github.com/apache/brpc/pull/3050) manualmente. Independientemente del m\u00e9todo que elija, debe tener en cuenta que el parche limita la longitud m\u00e1xima de memoria asignada para cada vez en el analizador Redis de bRPC. El l\u00edmite predeterminado es 64M. Si alguna de sus solicitudes o respuestas de Redis tiene un tama\u00f1o mayor a 64M, podr\u00eda encontrar un error despu\u00e9s de la actualizaci\u00f3n. Para tal caso, puede modificar el gflag redis_max_allocation_size para establecer un l\u00edmite mayor."}], "lastModified": "2025-08-14T15:15:39.060", "sourceIdentifier": "security@apache.org"}