PT-2026-50978 · Go · Github.Com/Tilt-Dev/Tilt
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-55882
CVSS v4.0
8.3
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N |
Summary
The Tilt HUD server mounts Go's
net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling.Details
A blank import of
net/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.Impact
An unauthenticated caller who can reach the listener can extract process memory — including the session and apiserver tokens — and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.
Conditions for exploitation
- Affected version in
>= 0.19.5, <= 0.37.3. - HUD (or apiserver) listener bound to a non-loopback address (
tilt up --host 0.0.0.0, orTILT HOSTset). - Network reachability to the listener (default port
10350).
Not affected
- The default loopback-only bind is not reachable from the network.
Workarounds
Use the default loopback bind (omit
--host, unset TILT HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Tilt-Dev/Tilt