CVE-2026-45044

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-beta.2

Description The admin router explicitly whitelists the endpoints "/profile/cpu" and "/profile/memory" from the authentication layer, allowing unauthenticated HTTP clients to invoke profiling handlers. On supported builds, such as glibc, the handler triggers a 60-second CPU profiling operation via the dump cpu pprof for(Duration::from secs(60)) function. This can lead to significant CPU resource consumption and a potential denial of service. Furthermore, the handler discloses the server's absolute filesystem path in the response body.

Recommendations Update to version 1.0.0-beta.2.