SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Server room exposed rack critical vulnerability red warning art
#
DevOps
#
Cloud Security
#
Application Security

Critical flaw in Apache bRPC exposes debug endpoint

Thu, 29th Jan 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Security researchers at CyberArk Labs have identified a critical command injection vulnerability in Apache bRPC that could allow unauthenticated remote code execution through an exposed profiling endpoint.

The flaw affects the /pprof/heap HTTP endpoint in Apache bRPC, a C++ library used to build backend services that communicate over Remote Procedure Call. Apache assigned the issue CVE-2025-60021 and a CVSS score of 9.8.

CyberArk attributed the research to Simcha Kosman, a Senior Cyber Researcher at CyberArk Labs. The company said the issue surfaced during analysis of diagnostic and debugging surfaces inside the framework.

Profiler exposure

Apache bRPC includes built-in HTTP debugging and profiling endpoints that engineers use to troubleshoot production services. These endpoints commonly sit under the /pprof/* path and can return diagnostic data such as CPU samples, heap snapshots, and runtime statistics.

Teams often expect profiling endpoints to sit behind internal networks or administrative access controls. CyberArk said misconfiguration can still expose them to the public internet. It also said internal exposure can create risk if an attacker gains a foothold in an environment or if a malicious insider abuses access.

CyberArk cited scan data from Shodan, which it said reported 181 publicly reachable /pprof/heap endpoints and 790 publicly reachable /pprof/* endpoints overall. The company said the figures do not confirm how many of those systems run Apache bRPC. It said the numbers indicate that profiling endpoints appear on the open internet.

Command injection

The vulnerability stems from how the heap profiler handled a user-controlled parameter named extra_options. CyberArk said that, prior to version 1.15.0, the heap profiler appended unvalidated extra_options input directly to a command string.

The heap profiling endpoint uses a command invocation to generate profiling output. CyberArk said shell special characters in the unvalidated input could alter the executed command. That behaviour could result in command injection.

The company said an attacker could reach remote code execution whenever the /pprof/heap endpoint was reachable. It said exploitation would run with the privileges of the Apache bRPC process.

CyberArk provided an example of how injected input could look in a request string: /pprof/heap?display=text&extra_options=;touch${IFS}/tmp/new_file.

Scope and impact

CyberArk said all versions earlier than Apache bRPC 1.15.0 were affected. It said the vulnerable behaviour appeared in the heap profiler component and involved appending user input to a command string.

The company said bRPC services often run in privileged backend environments. It said successful exploitation could lead to full service compromise in those environments.

Fix and mitigations

Apache addressed the issue in Apache bRPC 1.15.0. CyberArk said the fix restricts the extra_options parameter to an allowlist of supported jeprof options. It said this change prevents untrusted input from being incorporated into an executed command.

CyberArk said users should upgrade to Apache bRPC 1.15.0. It also referenced a change identified as PR #3101 for cases where organisations cannot upgrade immediately.

The company also recommended limiting access to /pprof/* endpoints. It said teams should treat them as admin-only and restrict them by network, bind services to localhost, or require authentication at a reverse proxy. It also suggested disabling heap profiling endpoints in production unless needed.

AI triage

CyberArk said it found the issue using a tool it calls Vulnhalla. The company described Vulnhalla as an internal AI tool that assists with triaging CodeQL results using a large language model.

The company said Vulnhalla flagged the issue as vulnerable and prompted a manual review that confirmed the finding.

"The CyberArk Labs team have identified Apache bRPC users are exposed to a critical command injection flaw in the /pprof/heap endpoint (CVE‐2025‐60021, CVSS 9.8) that enables unauthenticated remote code execution whenever this profiler is reachable," said Simcha Kosman, Senior Cyber Researcher, CyberArk Labs.

Apache bRPC users running versions prior to 1.15.0 will need to review whether profiling endpoints are exposed and assess upgrades and access controls accordingly.

Related stories
Arctic Wolf unveils Aurora managed endpoint tools for MSPs
Gartner warns misconfigured AI could halt G20 power
Okta warns of North Korean fraud in remote tech hiring
CBA warns young Aussies of fake job and dating scam losses
McAfee warns Australians of AI-fuelled Valentine scams

Top stories

Securing the digital classroom: A layered cybersecurity approach for K-12 schools
D-Link taps Dicker Data to grow converged security reach
LummaStealer returns post-takedown with ClickFix ruse
Proofpoint buys Acuvity to secure AI agents at work
Okta unveils tools to detect & govern shadow AI risks