Vulnerability Details CVE-2025-60021
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command.
Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter..
Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling.
How to Fix: we provide two methods, you can choose one of them:
1. Upgrade bRPC to version 1.15.0.
2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 59.5%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2025-60021
-
cpe:2.3:a:apache:brpc:1.11.0
-
cpe:2.3:a:apache:brpc:1.12.0
-
cpe:2.3:a:apache:brpc:1.12.1
-
cpe:2.3:a:apache:brpc:1.13.0
-
cpe:2.3:a:apache:brpc:1.14.0
-
cpe:2.3:a:apache:brpc:1.14.1