Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Summary
Dgraph v25.3.2 still exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can retrieve that token and replay it in the X-Dgraph-AuthToken header to access admin-only endpoints.
This is a variant of the previously fixed /debug/pprof/cmdline issue, but the current fix is incomplete because it blocks only /debug/pprof/cmdline and still serves http.DefaultServeMux, which includes expvar's /debug/vars handler.
Details
Alpha still exposes Go's default HTTP mux:
x/metrics.go- imports
expvar - initializes
Conf = expvar.NewMap("dgraph_config") - Go's
expvarpackage automatically registers/debug/vars expvarpublishes:cmdline = os.Argsmemstats = runtime.Memstats
Alpha's HTTP handler explicitly blocks only the old CVE path:
dgraph/cmd/alpha/run.go- checks
if r.URL.Path == "/debug/pprof/cmdline"and returns404 - otherwise falls through to
http.DefaultServeMux.ServeHTTP(w, r)
Admin endpoints still trust the leaked token:
dgraph/cmd/alpha/admin.go- reads
X-Dgraph-AuthToken - compares it to
worker.Config.AuthToken
PoC
- Send an unauthenticated request to Alpha:
GET /debug/vars HTTP/1.1
Host: target:8080- Parse the JSON response and read the
cmdlinefield. - Extract the admin token from the startup arguments, for example:
--security token=debug-vars-secret;- Replay the token to an admin-only endpoint:
GET /admin/config/cache_mb HTTP/1.1
Host: target:8080
X-Dgraph-AuthToken: debug-vars-secret- The request is accepted as an authorized admin request.
This was reproduced against dgraph/dgraph:v25.3.2 in Docker.
Observed behavior:
- unauthenticated
/debug/varsleaked the configured token - replaying the leaked token in
X-Dgraph-AuthTokensuccessfully accessed/admin/config/cache_mb - response body was:
4096It was verified that the old CVE path appears specifically patched in the same version:
/debug/pprof/cmdlinereturned404 Not Found/debug/pprof/remained reachable
Impact
Unauthenticated attackers can obtain the Alpha admin token and gain unauthorized administrative access.
This enables privileged admin operations such as:
- reading privileged admin configuration
- mutating admin configuration
- performing operational control actions gated by
X-Dgraph-AuthToken
In deployments where the Alpha HTTP port is reachable by untrusted parties, this is a practical authentication bypass to admin functionality.
AnalysisAI
Unauthenticated attackers can steal admin tokens from Dgraph Alpha v25.3.2 and earlier via the exposed /debug/vars endpoint, enabling complete authentication bypass to administrative functions. The vulnerability exists because Dgraph incompletely fixed a previous cmdline exposure issue-blocking only /debug/pprof/cmdline while still serving Go's expvar handler at /debug/vars, which publishes the full command-line arguments including --security token= flags. Attackers can retrieve the token remotely without authentication (CVSS AV:N/PR:N) and replay it in X-Dgraph-AuthToken headers to access admin-only endpoints. Vendor patch released in v25.3.3 per GitHub advisory GHSA-vvf7-6rmr-m29q. No public exploit identified at time of analysis, but detailed proof-of-concept steps are published in the advisory.
Technical ContextAI
Dgraph is a distributed graph database written in Go. The vulnerability stems from incomplete remediation of a previous information disclosure issue. Dgraph's Alpha component (the data-serving node) imports Go's expvar package for metrics collection, which automatically registers the /debug/vars HTTP handler on the default ServeMux. This handler exposes runtime diagnostics including os.Args (command-line arguments) in JSON format. While developers blocked the previously exploited /debug/pprof/cmdline path with a hardcoded 404 check, they continued serving http.DefaultServeMux for all other paths, leaving expvar's /debug/vars endpoint exposed. The root cause falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) because the application leaks authentication credentials through a debug interface. Affected CPE identifiers include pkg:go/github.com_dgraph-io_dgraph across v24.x and v25.x branches. The authentication mechanism in dgraph/cmd/alpha/admin.go validates admin requests by comparing the X-Dgraph-AuthToken header against worker.Config.AuthToken, which is typically set via the --security token= startup flag-the same flag exposed in /debug/vars.
RemediationAI
Upgrade immediately to Dgraph v25.3.3 released at https://github.com/dgraph-io/dgraph/releases/tag/v25.3.3, which addresses the /debug/vars exposure. For deployments that cannot immediately upgrade, implement these compensating controls in order of effectiveness: (1) Configure admin tokens via environment variables or configuration files instead of command-line flags to prevent leakage through cmdline exposure-note this requires application restart and deployment automation changes. (2) Block external access to all /debug/* paths at the network perimeter (firewall, reverse proxy, ingress controller) using path-based filtering rules-this prevents token leakage but does not fix the underlying exposure and may impact legitimate debugging workflows. (3) Restrict Alpha HTTP port (default 8080) to trusted internal networks only via firewall rules-this reduces attack surface but breaks any legitimate external API access. (4) Deploy Alpha nodes behind authentication-enforcing reverse proxies that strip /debug/* requests before reaching Dgraph-adds architectural complexity and latency. Each workaround trades operational convenience or functionality for security. Only the vendor patch (v25.3.3) comprehensively resolves the issue. Verify remediation by confirming GET /debug/vars returns 404 or 403 after upgrade.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25599
GHSA-vvf7-6rmr-m29q