Cyber Posture

CVE-2025-60021

Critical

Published: 16 January 2026

Published
16 January 2026
Modified
21 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0027 50.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options…

more

parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the root cause by requiring validation of the user-provided extra_options parameter to prevent its execution as a malicious command-line argument.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through patching or upgrading bRPC to version 1.15.0, eliminating the command injection vulnerability.

CM-7 Least Functionality partial match
prevent

Reduces attack surface by configuring the system to disable or restrict the non-essential heap profiler service (/pprof/heap) when not required for jemalloc profiling.

Security SummaryAI

CVE-2025-60021 is a remote command injection vulnerability (CWE-77) in the heap profiler built-in service of Apache bRPC, affecting all versions prior to 1.15.0 across all platforms. The root cause lies in the /pprof/heap endpoint, which fails to validate the user-provided extra_options parameter and instead executes it directly as a command-line argument during jemalloc memory profiling operations.

An unauthenticated remote attacker with network access to the vulnerable service can exploit this issue by crafting a malicious request to /pprof/heap, enabling arbitrary command execution on the target system. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity and potential for high-impact compromise of confidentiality, integrity, and availability.

Apache advisories recommend upgrading to bRPC version 1.15.0 or manually applying the patch from https://github.com/apache/brpc/pull/3101 as primary mitigations. Additional details appear in the Apache mailing list announcement at https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m and the OSS-Security posting at http://www.openwall.com/lists/oss-security/2026/01/16/4.

Details

CWE(s)
CWE-77

Affected Products

apache
brpc
1.11.0 — 1.15.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Remote unauthenticated command injection in a public-facing HTTP endpoint (/pprof/heap) enables exploitation of public-facing applications (T1190) and arbitrary command execution via command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References