Skip to main content

Github CVE-2025-60021

CRITICAL
Command Injection (CWE-77)
2026-01-16 security@apache.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 16, 2026 - 09:16 nvd
CRITICAL 9.8

DescriptionCVE.org

Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command.

Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter..

Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling.

How to Fix: we provide two methods, you can choose one of them:

  1. Upgrade bRPC to version 1.15.0.
  2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.

AnalysisAI

Apache bRPC versions before 1.15.0 contain a remote command injection vulnerability in the heap profiler built-in service, allowing attackers to execute arbitrary OS commands.

Technical ContextAI

The built-in heap profiler service in Apache bRPC (all versions < 1.15.0) processes user input without proper sanitization (CWE-77), allowing injection of arbitrary OS commands through the profiling interface.

RemediationAI

Upgrade to Apache bRPC 1.15.0 or later. Disable built-in profiling services in production. Restrict access to debug endpoints.

More in Github

View all
CVE-2026-1699 CRITICAL POC
10.0 Jan 30

Supply chain vulnerability in Eclipse Theia GitHub Actions workflow. The preview.yml workflow uses pull_request_target w

CVE-2026-27941 CRITICAL POC
9.9 Feb 26

Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables ma

CVE-2026-22869 CRITICAL POC
9.8 Jan 13

Eigent multi-agent workflow CI pipeline (ci.yml) uses pull_request_target with checkout of untrusted PR code, enabling a

CVE-2026-28215 CRITICAL POC
9.1 Feb 26

Unauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit

CVE-2018-1000600 HIGH POC
8.8 Jun 26

A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCrede

CVE-2026-30920 HIGH POC
8.6 Mar 10

OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by

CVE-2026-25221 HIGH POC
8.1 Feb 02

PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enab

CVE-2026-23644 HIGH POC
7.5 Jan 18

Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers

CVE-2025-68619 HIGH POC
7.2 Jan 01

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore i

CVE-2026-27943 MEDIUM POC
6.5 Feb 26

Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients

CVE-2026-23889 MEDIUM POC
6.5 Jan 26

Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package dire

CVE-2026-27612 MEDIUM POC
6.1 Feb 25

Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc

Share

CVE-2025-60021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy