CVE-2026-55882
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N and PR:N since unauthenticated over the network, but AC:H because exploitation depends on a non-default non-loopback bind; C:H for token leak, A:L for profiling slowdown, I:N.
Primary rating from Vendor (https://github.com/tilt-dev/tilt).
CVSS VectorVendor: https://github.com/tilt-dev/tilt
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Summary
The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory - including session and apiserver tokens - and hold the process under profiling.
Details
A blank import of net/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.
Impact
An unauthenticated caller who can reach the listener can extract process memory - including the session and apiserver tokens - and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.
Conditions for exploitation
- Affected version in
>= 0.19.5, <= 0.37.3. - HUD (or apiserver) listener bound to a non-loopback address (
tilt up --host 0.0.0.0, orTILT_HOSTset). - Network reachability to the listener (default port
10350).
Not affected
- The default loopback-only bind is not reachable from the network.
Workarounds
Use the default loopback bind (omit --host, unset TILT_HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.
AnalysisAI
Sensitive information disclosure in the Tilt HUD server (Go package github.com/tilt-dev/tilt, versions >= 0.19.5 through <= 0.37.3) lets an unauthenticated network caller read live process memory via unprotected net/http/pprof endpoints mounted under /debug, harvesting the session token (Tilt-Token cookie) and the apiserver loopback bearer token, and hold the process under CPU profiling or tracing to degrade performance. Exploitation requires the HUD or apiserver listener to be bound to a non-loopback address (tilt up --host 0.0.0.0 or TILT_HOST set); the default loopback-only bind is not remotely reachable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Audit all Tilt deployments with 'tilt config' or check TILT_HOST environment variable for non-loopback bindings (0.0.0.0, etc.); immediately bind HUD/apiserver listeners to loopback (127.0.0.1 default) if bound to non-loopback. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p749-9w62-w533