Verified reproduction
CVE-2025-60021: Apache bRPC: Remote Command Injection in Heap Profiler
CVE-2025-60021 is verified against brpc · cpp affected versions: 1.11.0 to <1.15.0 fixed version: 1.15.0 vulnerability class: Command Injection This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00072.
Severity HIGH
Confidence HIGH
Reproduced in 47m 53s
Tool calls 503
Affected 1.11.0 to <1.15.0
Fixed in 1.15.0
$
pruva-verify REPRO-2026-00072 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00072/artifacts/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
Remote command injection in heap profiler endpoint via unsanitized extra_options parameter in Apache bRPC.
# Root Cause Analysis - CVE-2025-60021 ## Summary Apache bRPC versions 1.11.0 through 1.14.x allow remote command injection via the built-in `/pprof/heap` endpoint when jemalloc profiling is enabled. The handler concatenates the user-controlled `extra_options` query parameter directly into a shell command used to invoke `jeprof`, and the command is executed through `popen`, allowing shell metacharacters to execute arbitrary commands. ## Impact - **Component:** `src/brpc/details/jemalloc_profiler.cpp` (jemalloc heap profiler endpoint `/pprof/heap`) - **Affected versions:** 1.11.0 to <1.15.0 - **Risk level:** Important — remote command execution as the service user, enabling data exfiltration and lateral movement. ## Root Cause The heap profiler handler builds a command line for `jeprof` and appends the `extra_options` query parameter without validation: - Vulnerable code (1.14.1): `cmd_str += " --" + *uri_extra_options + " ";` - The command is executed via `butil::read_command_output`, which uses `popen()` (`/bin/sh -c`), so shell metacharacters in `extra_options` are interpreted. The fix in 1.15.0 introduces a whitelist of allowed `extra_options` values and ignores unsupported inputs, preventing shell metacharacter injection. See PR https://github.com/apache/brpc/pull/3101. ## Reproduction Steps 1. Run `repro/reproduction_steps.sh`. 2. The script builds bRPC 1.14.1 and 1.15.0, starts the echo server with jemalloc profiling enabled, then issues crafted `/pprof/heap` requests. 3. Expected evidence: `uid=...` appears in `logs/vuln_response.txt` for 1.14.1 and is absent in `logs/fixed_response.txt` for 1.15.0. ## Evidence - Vulnerable response (1.14.1): `logs/vuln_response.txt` - `uid=0(root) gid=0(root) groups=0(root)` (line 82) - Fixed response (1.15.0): `logs/fixed_response.txt` - No `uid=` output present. - Build and runtime logs: - `logs/echo_server_vuln.log` - `logs/echo_server_fixed.log` Environment details: - Ubuntu with system dependencies installed via `apt-get`. - jemalloc enabled via `MALLOC_CONF=prof:true` and `LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2`. ## Recommendations / Next Steps - Upgrade to bRPC 1.15.0 or apply the whitelist patch from PR #3101. - Consider avoiding shell execution entirely (pass arguments directly to `execve` without shell) for any future tooling. - Add regression tests for `/pprof/heap` to ensure only approved options are accepted. ## Additional Notes - Idempotency verified: `repro/reproduction_steps.sh` executed twice successfully. - The exploit only applies when jemalloc profiling is enabled and `/pprof/heap` is reachable.
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
No artifacts available