A critical remote command-injection vulnerability has been discovered in Apache bRPC’s built-in heap profiler service, affecting all versions before 1.15.0 across all platforms.
The vulnerability allows unauthenticated attackers to execute arbitrary system commands by manipulating the profiler’s parameter validation mechanisms.
The heap profiler service endpoint (/pprof/heap) fails to properly sanitize the extra_options parameter before passing it to system command execution.
This design flaw enables attackers to inject malicious commands that execute with the bRPC process’s privileges.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-60021 |
| Severity | Important |
| Affected Versions | Apache bRPC < 1.15.0 |
| Vulnerability Type | Remote Command Injection |
| CVSS Category | High Impact |
The root cause stems from insufficient input validation in the jemalloc memory profiling component, which treats user-supplied parameters as trusted command-line arguments without escaping or validation.
The vulnerability impacts explicitly deployments that use bRPC’s built-in heap profiler for jemalloc memory profiling.
Any system exposing the /pprof/heap endpoint to untrusted networks faces a significant risk of complete system compromise.
Exploitation grants attackers remote code execution capabilities without requiring authentication.
A successful attack could result in lateral movement within network infrastructure, data exfiltration, service disruption, or establishment of persistent backdoor access.
Organizations running vulnerable bRPC versions in production environments should prioritize immediate remediation.
Apache bRPC versions 1.11.0 through 1.14.x are vulnerable. Version 1.15.0 and later include the necessary security patches to address this vulnerability.
Two mitigation methods are available:
Option 1: Upgrade Apache bRPC to version 1.15.0 or later, which contains the official patch resolving the parameter validation issue.
Option 2: Apply the security patch manually from the official Apache bRPC GitHub repository (PR #3101) if immediate version upgrades are infeasible.
Organizations should prioritize upgrading to patched versions to eliminate the attack surface. Manual patching should be treated as a temporary measure pending complete version upgrades.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
