CVE-2025-60021

Apache bRPC and Affected Versions Apache bRPC versions prior to 1.15.0

Description Apache bRPC contains a remote command injection flaw in the heap profiler built-in service. The

/pprof/heap

endpoint does not properly validate the

extra options

parameter, allowing attackers to execute arbitrary system commands. This vulnerability enables unauthenticated remote code execution, potentially leading to full system compromise, data theft, and service disruption. The issue stems from the direct concatenation of the unsanitized

extra options

parameter into a shell command executed with bRPC service privileges. Approximately 4,000 instances are exposed according to ZoomEye. Attackers can leverage this flaw to gain shell access, exfiltrate sensitive data, deploy malware, and move laterally within networks. The vulnerable parameter,

extra options

, is used in requests to the

/pprof/heap

API endpoint.

Recommendations Upgrade to Apache bRPC version 1.15.0 or later. As a temporary workaround, disable the heap profiler in production. Restrict access to the

/pprof/heap

endpoint via network controls and authentication. Review access logs for

/pprof/heap

requests with suspicious

extra options

values. Inspect spawned processes and verify system integrity.