Basekick Labs Arc CVE-2026-48050
HIGHSeverity by source
Remote, unauthenticated HTTP request against default config (AV:N/AC:L/PR:N/UI:N); heap leaks sensitive runtime state (C:H), no integrity impact (I:N), CPU-pinning profile endpoint enables DoS (A:H).
Lifecycle Timeline
2DescriptionCVE.org
Summary
Arc registers Go's net/http/pprof handlers at /debug/pprof/* via app.Use(pprof.New()) in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.
Impact
Any network-reachable caller (no token required) can:
- Fetch
/debug/pprof/heap- leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached*TokenInfo(the auth cache keys on SHA-256 of the plaintext token atauth.go:543). - Fetch
/debug/pprof/goroutine?debug=2- leaks call stacks, identifying internal code paths. - Fetch
/debug/pprof/profile?seconds=N- pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU). - Fetch
/debug/pprof/trace- long-duration execution trace, similar DoS profile.
No authentication, no rate limiting, no resource bound on the seconds parameter.
Patches
https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1
Planned mitigation:
- Gate pprof registration behind an env var (
ARC_DEBUG_PPROF=1) that defaults to off. - When enabled, bind pprof to a separate localhost-only listener (
127.0.0.1:6060via dedicatednet/httpserver) so it's never reachable from the public API port. - Remove
/debug/pproffromPublicPrefixes. - Fix the
HasPrefixbug where"/debug/pprofX"matches"/debug/pprof".
Workarounds
- Block
/debug/pprof*at a reverse proxy / load balancer in front of Arc. - Restrict Arc's API port to known-trusted networks via firewall rules.
- Patch the running build: comment out
app.Use(pprof.New())ininternal/api/server.goand rebuild.
Credits
Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.
AnalysisAI
Unauthenticated information disclosure and CPU-exhaustion DoS in Basekick Labs Arc (versions prior to v26.06.1) expose Go's net/http/pprof debug handlers on the public API port without any token check. Remote attackers can fetch heap and goroutine profiles to leak in-memory secrets (live SQL strings, decoded msgpack records, cached *TokenInfo entries) and invoke /debug/pprof/profile?seconds=N to pin a CPU core for arbitrary durations. No public exploit identified at time of analysis, though the vulnerability is trivial to exercise with curl.
Technical ContextAI
Arc is a Go-based data ingestion/query service built on the Fiber HTTP framework. In internal/api/server.go the server unconditionally calls app.Use(pprof.New()), registering the standard Go runtime profiling endpoints (/debug/pprof/heap, /goroutine, /profile, /trace, etc.) on the public Fiber app. In cmd/arc/main.go, the literal string '/debug/pprof' is added to the auth middleware's PublicPrefixes list, and the middleware uses strings.HasPrefix to short-circuit auth - so any request whose path starts with that prefix bypasses the token check. The underlying weakness is CWE-200 (Exposure of Sensitive Information): runtime profiling endpoints designed for trusted-network introspection are exposed to anonymous network callers, and a secondary anchoring bug (HasPrefix would also match '/debug/pprofX') broadens the auth-bypass surface. CPE coverage is pkg:go/github.com_basekick-labs_arc.
RemediationAI
Vendor-released patch: upgrade to Arc v26.06.1 or the equivalent Go pseudo-version 0.0.0-20260520170331-32a4091fb949, which removes pprof from the public Fiber app, gates it behind ARC_DEBUG_PPROF=1, binds it to 127.0.0.1:6060 by default, requires a second opt-in (ARC_DEBUG_PPROF_ALLOW_NON_LOOPBACK=1) for non-loopback exposure, and anchors the PublicPrefixes matcher with path.Clean normalisation (see commit 32a4091fb949f9cf060cdd804a07f6450dc426a8 and https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1). If immediate upgrade is not possible, block /debug/pprof* at a reverse proxy or load balancer in front of Arc (side effect: also blocks legitimate operator pprof use), restrict the Arc API port to known-trusted networks via firewall rules (side effect: may break public clients of the intended API surface), or rebuild from source with app.Use(pprof.New()) in internal/api/server.go commented out (side effect: requires custom build pipeline and loses pprof entirely until upgrade).
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j93g-rp6m-j32m