REPRO-2026-00072 HIGH Command Injection Verified

Apache bRPC: Remote Command Injection in Heap Profiler

brpc (cpp) Jan 21, 2026

Confidence HIGH

Reproduced in 47m 53s

Tool calls 503

Affected 1.11.0 to <1.15.0

Fixed in 1.15.0

What's the vulnerability?

Remote command injection in heap profiler endpoint via unsanitized extra_options parameter in Apache bRPC.

One Command

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00072

or pruva-verify CVE-2025-60021

Install: curl -fsSL https://pruva.dev/install.sh | sh

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00072/artifacts/repro/reproduction_steps.sh

chmod +x reproduction_steps.sh

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

Watch the AI agent's step-by-step process.

Loading session...