CVE-2026-48050

Summary

Impact

• Fetch /debug/pprof/heap — leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached *TokenInfo (the auth cache keys on SHA-256 of the plaintext token at auth.go:543).
• Fetch /debug/pprof/goroutine?debug=2 — leaks call stacks, identifying internal code paths.
• Fetch /debug/pprof/profile?seconds=N — pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU).
• Fetch /debug/pprof/trace — long-duration execution trace, similar DoS profile.

Patches

1. Gate pprof registration behind an env var (ARC DEBUG PPROF=1) that defaults to off.
2. When enabled, bind pprof to a separate localhost-only listener (127.0.0.1:6060 via dedicated net/http server) so it's never reachable from the public API port.
3. Remove /debug/pprof from PublicPrefixes.
4. Fix the HasPrefix bug where "/debug/pprofX" matches "/debug/pprof".

Workarounds

• Block /debug/pprof* at a reverse proxy / load balancer in front of Arc.
• Restrict Arc's API port to known-trusted networks via firewall rules.
• Patch the running build: comment out app.Use(pprof.New()) in internal/api/server.go and rebuild.

Credits