PT-2026-50978 · Go · Github.Com/Tilt-Dev/Tilt
Publicado
2026-06-19
·
Atualizado
2026-06-19
·
CVE-2026-55882
CVSS v4.0
8.3
Alta
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N |
Summary
The Tilt HUD server mounts Go's
net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling.Details
A blank import of
net/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.Impact
An unauthenticated caller who can reach the listener can extract process memory — including the session and apiserver tokens — and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.
Conditions for exploitation
- Affected version in
>= 0.19.5, <= 0.37.3. - HUD (or apiserver) listener bound to a non-loopback address (
tilt up --host 0.0.0.0, orTILT HOSTset). - Network reachability to the listener (default port
10350).
Not affected
- The default loopback-only bind is not reachable from the network.
Workarounds
Use the default loopback bind (omit
--host, unset TILT HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Github.Com/Tilt-Dev/Tilt