CVE-2025-54472: 
Homebrew vulnerability analysis and mitigation

CVE-2025-54472 is a critical vulnerability discovered in Apache bRPC's Redis protocol parser affecting all versions prior to 1.14.1. The vulnerability was disclosed on August 14, 2025, and impacts Apache bRPC, an Industrial-grade RPC framework used in high-performance systems such as Search, Storage, Machine learning, Advertisement, and Recommendation systems (Security Online, NVD).

The vulnerability stems from unlimited memory allocation in the Redis protocol parser. The root cause lies in how the bRPC Redis parser allocates memory for arrays and strings based on integer values read from incoming network data. If the integer read from the network is too large, it can trigger a bad alloc error leading to program crashes. While version 1.14.0 attempted to fix this by limiting memory allocation size, the limitation checking code was improperly implemented, potentially causing integer overflow and bypassing the limitation (NVD).

The vulnerability allows attackers to crash affected services remotely through a Denial-of-Service (DoS) condition. This impacts systems using bRPC either as a Redis Server providing network services to untrusted clients or as a Redis Client interacting with untrusted Redis services. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from CISA-ADP (NVD, Security Online).

Two mitigation approaches are recommended: 1) Upgrade to bRPC version 1.14.1, which contains the official fix, or 2) Apply the official patch from GitHub Pull Request #3050 manually. The patch introduces a default maximum allocation size of 64 MB for Redis parser operations. For systems requiring larger allocations, the limit can be adjusted using the gflag redismaxallocation_size parameter (NVD).