Skip to main content

Basekick Labs Arc CVE-2026-48050

HIGH
Information Exposure (CWE-200)
2026-06-11 https://github.com/Basekick-Labs/arc GHSA-j93g-rp6m-j32m
Share

Severity by source

vuln.today AI
9.1 CRITICAL

Remote, unauthenticated HTTP request against default config (AV:N/AC:L/PR:N/UI:N); heap leaks sensitive runtime state (C:H), no integrity impact (I:N), CPU-pinning profile endpoint enables DoS (A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 17:30 vuln.today
Analysis Generated
Jun 11, 2026 - 17:30 vuln.today

DescriptionCVE.org

Summary

Arc registers Go's net/http/pprof handlers at /debug/pprof/* via app.Use(pprof.New()) in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.

Impact

Any network-reachable caller (no token required) can:

  • Fetch /debug/pprof/heap - leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached *TokenInfo (the auth cache keys on SHA-256 of the plaintext token at auth.go:543).
  • Fetch /debug/pprof/goroutine?debug=2 - leaks call stacks, identifying internal code paths.
  • Fetch /debug/pprof/profile?seconds=N - pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU).
  • Fetch /debug/pprof/trace - long-duration execution trace, similar DoS profile.

No authentication, no rate limiting, no resource bound on the seconds parameter.

Patches

https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1

Planned mitigation:

  1. Gate pprof registration behind an env var (ARC_DEBUG_PPROF=1) that defaults to off.
  2. When enabled, bind pprof to a separate localhost-only listener (127.0.0.1:6060 via dedicated net/http server) so it's never reachable from the public API port.
  3. Remove /debug/pprof from PublicPrefixes.
  4. Fix the HasPrefix bug where "/debug/pprofX" matches "/debug/pprof".

Workarounds

  • Block /debug/pprof* at a reverse proxy / load balancer in front of Arc.
  • Restrict Arc's API port to known-trusted networks via firewall rules.
  • Patch the running build: comment out app.Use(pprof.New()) in internal/api/server.go and rebuild.

Credits

Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.

AnalysisAI

Unauthenticated information disclosure and CPU-exhaustion DoS in Basekick Labs Arc (versions prior to v26.06.1) expose Go's net/http/pprof debug handlers on the public API port without any token check. Remote attackers can fetch heap and goroutine profiles to leak in-memory secrets (live SQL strings, decoded msgpack records, cached *TokenInfo entries) and invoke /debug/pprof/profile?seconds=N to pin a CPU core for arbitrary durations. No public exploit identified at time of analysis, though the vulnerability is trivial to exercise with curl.

Technical ContextAI

Arc is a Go-based data ingestion/query service built on the Fiber HTTP framework. In internal/api/server.go the server unconditionally calls app.Use(pprof.New()), registering the standard Go runtime profiling endpoints (/debug/pprof/heap, /goroutine, /profile, /trace, etc.) on the public Fiber app. In cmd/arc/main.go, the literal string '/debug/pprof' is added to the auth middleware's PublicPrefixes list, and the middleware uses strings.HasPrefix to short-circuit auth - so any request whose path starts with that prefix bypasses the token check. The underlying weakness is CWE-200 (Exposure of Sensitive Information): runtime profiling endpoints designed for trusted-network introspection are exposed to anonymous network callers, and a secondary anchoring bug (HasPrefix would also match '/debug/pprofX') broadens the auth-bypass surface. CPE coverage is pkg:go/github.com_basekick-labs_arc.

RemediationAI

Vendor-released patch: upgrade to Arc v26.06.1 or the equivalent Go pseudo-version 0.0.0-20260520170331-32a4091fb949, which removes pprof from the public Fiber app, gates it behind ARC_DEBUG_PPROF=1, binds it to 127.0.0.1:6060 by default, requires a second opt-in (ARC_DEBUG_PPROF_ALLOW_NON_LOOPBACK=1) for non-loopback exposure, and anchors the PublicPrefixes matcher with path.Clean normalisation (see commit 32a4091fb949f9cf060cdd804a07f6450dc426a8 and https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1). If immediate upgrade is not possible, block /debug/pprof* at a reverse proxy or load balancer in front of Arc (side effect: also blocks legitimate operator pprof use), restrict the Arc API port to known-trusted networks via firewall rules (side effect: may break public clients of the intended API surface), or rebuild from source with app.Use(pprof.New()) in internal/api/server.go commented out (side effect: requires custom build pipeline and loses pprof entirely until upgrade).

Share

CVE-2026-48050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy